Closed sherlock-admin closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
possible solutions at https://github.com/sherlock-audit/2023-11-covalent-judging/issues/120
Invalid, insufficient proof.
ydlee
high
An operators can submit another's specimen proofs, without actual proof of work.
Summary
An operator can use the values that another operator used for submitting specimen proof, without actually calculating the specimen hash.
Vulnerability Detail
The values for submit a specimen proof can be replayed. An opeator can extract the values used to submit block specimen proof from the contract storage or from transactions. Then he can use these values to submit proof for that block on order for that proof gets agreed and get reward. But he doesn't actually put any effort to calculate the specimen hash. This makes the contract consensus vulnerable to be manipulated.
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L328
Impact
Specimen proofs can be replayed without effort, making the contract consensus vulnerable to be manipulated.
Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L328
Tool used
Manual Review
Recommendation
I have no good idea to mitigate this issue.