search

sherlock-audit / 2023-11-covalent-judging

3 stars 2 forks source link

Atharv - No need to run validator just frontrun the transaction. #111

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

Atharv

high

No need to run validator just frontrun the transaction.

Summary

No need to run the validaor node setup you should be valid validator and you can copy the transaction and frontrun the transaction by other validator and get the rewards.

Vulnerability Detail

Function BlockSpecimenProofChain.sol::submitBlockSpecimenProof any valid validator can call but attacker can become valid validator and will do the frontrun. Suppose a validator runs the node and creates blockhash and specimenHash and calls submitBlockSpecimenProof function. An attacker will read the transaction from mempool and frontrun and will get rewards even no-need to frontrun just copy-pasting the transaction will work. Hence no need to run the node just copy the transaction.

Impact

High

Code Snippet

Code

Tool used

Manual Review

Recommendation

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 6 months ago

Invalid, there seems to be a misunderstanding here. The address of the caller will be verified as a validator so this is not possible