search

sherlock-audit / 2023-11-covalent-judging

3 stars 2 forks source link

iberry - 'delete session.blockProperties[agreedBlockHash]' in BlockSpecimenProofChain._finalizeWithParticipants which contains a mapping #112

Closed sherlock-admin closed 7 months ago

sherlock-admin commented 7 months ago

iberry

medium

'delete session.blockProperties[agreedBlockHash]' in BlockSpecimenProofChain._finalizeWithParticipants which contains a mapping

Summary

The smart contract 'BlockSpecimenProofChain' contains a vulnerability related to the deletion of a mapping element in the '_finalizeWithParticipants' function. The function deletes an element in the 'session.blockProperties' mapping, which contains a structure. This may lead to gas estimation inaccuracies, potential security risks, and unexpected behavior in the contract

Vulnerability Detail

The '_finalizeWithParticipants' function deletes a mapping 'session.blockProperties' element using 'delete session.blockProperties[agreedBlockHash]'. Deletion on a mapping containing a structure don't remove map data,the remaining data may be used to compromise the contract.

Impact

The remaining data may be used to compromise the contract.

Code Snippet

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L441-L463

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L462

function _finalizeWithParticipants(BlockSpecimenSession storage session, uint64 chainId, uint64 blockHeight, bytes32 agreedBlockHash, bytes32 agreedSpecimenHash) internal {
    address participant;
    address[] storage participants = session.blockProperties[agreedBlockHash].participants[agreedSpecimenHash];
    uint256 len = participants.length;
    uint256 validatorBitMap; // sets the ith bit to 1 if the ith validator submits the agreed specimen hash

    mapping(address => SessionParticipantData) storage participantsData = session.participantsData;

    for (uint256 i = 0; i < len; i++) {
        participant = participants[i];
        SessionParticipantData storage pd = participantsData[participant];
        validatorBitMap |= (1 << (255 - validatorIDs[participant]));
        // release gas if possible
        if (pd.submissionCounter == 1) {
            pd.submissionCounter = 0;
            pd.stake = 0;
        }
    }

    emit BlockSpecimenQuorum(chainId, blockHeight, validatorBitMap, agreedBlockHash, agreedSpecimenHash);

    delete session.blockProperties[agreedBlockHash]; // release gas // bug 
}

Tool used

Manual Review

Recommendation

clear data participants in before delete session.blockProperties[agreedBlockHash]

Duplicate of #33

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid