search

sherlock-audit / 2023-11-covalent-judging

3 stars 2 forks source link

ydlee - An operators can submit another's specimen proofs, without actual proof of work. #122

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 8 months ago

ydlee

high

An operators can submit another's specimen proofs, without actual proof of work.

Summary

An operator can use the values that another operator used for submitting specimen proof, without actually calculating the specimen hash.

Vulnerability Detail

The values for submit a specimen proof can be replayed. An opeator can extract the values used to submit block specimen proof from the contract storage or from transactions. Then he can use these values to submit proof for that block on order for that proof gets agreed and get reward. But he doesn't actually put any effort to calculate the specimen hash. This makes the contract consensus vulnerable to be manipulated.

328:    function submitBlockSpecimenProof(uint64 chainId, uint64 blockHeight, bytes32 blockHash, bytes32 specimenHash, string calldata storageURL) external {

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L328

Impact

Specimen proofs can be replayed without effort, making the contract consensus vulnerable to be manipulated.

Code Snippet

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L328

Tool used

Manual Review

Recommendation

I have no good idea to mitigate this issue.

sherlock-admin2 commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

noslav commented 8 months ago

possible solutions at https://github.com/sherlock-audit/2023-11-covalent-judging/issues/120

nevillehuang commented 8 months ago

Invalid, insufficient proof.