When validators stake, there is a lack of a minimum stake amount check

Summary

When a validator is staking, the protocol does not check the minimum stake amount, resulting in validators being easily disabled.

Vulnerability Detail

In the _stake() function, when a validator is staking, the protocol only checks that the validator's stake does not exceed validatorMaxStake, but it does not check the minimum stake required for validators.

      if (isValidator) {
            // compares with newStaked to ignore compounded rewards
            require(newStaked <= validatorMaxStake, "Validator max stake exceeded");
        } else {
            // cannot stake more than validator delegation max cap
            uint128 delegationMaxCap = v.stakings[v._address].staked * maxCapMultiplier;
            uint128 newDelegated = v.delegated + amount;
            require(newDelegated <= delegationMaxCap, "Validator max delegation exceeded");
            v.delegated = newDelegated;
        }

Impact

Validators are susceptible to being disabled easily during unstake().

Code Snippet

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L427-L429

Tool used

Manual Review

Recommendation

When a validator is staking, add a check for newStaked >= validatorEnableMinStake.

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid: should provide a process of that.

nevillehuang commented 6 months ago

Invalid, check done here

sherlock-audit / 2023-11-covalent-judging

Bauer - When validators stake, there is a lack of a minimum stake amount check #113