setValidatorCommissionRate should be called by staking manager
Summary
In readme.md, it is mentioned that the responsibilities of the staking manager are as follows:
Set the validator commission rate
Add validator instances to the contract
Reward validators
Disable/Enable validators
What the owner can do:
Deposit tokens into the contract that will be distributed (reward pool)
Withdraw tokens from the contract that are supposed to be distributed. The owner cannot withdraw tokens allocated for the past checkpoints that have not yet been redeemed by the delegators
Set the validator max cap multiplier
Set the maximum number of tokens the validator can stake
Set the StakingManager address
Renounce his role and disable all the following listed actions by calling renounceOwnership
Transfer the ownership to another address by calling transferOwnership
Set or change the stakingManager by calling setStakingManagerAddress
These actions of owner do not include setting the validator commission rate.
But the current implementation of setValidatorCommissionRate can only be called by the owner. Staking manager doesn't set the validator commission rate.
Vulnerability Detail
File: cqt-staking\contracts\OperationalStaking.sol
362:-> function setValidatorCommissionRate(uint128 validatorId, uint128 amount) external onlyOwner {
363: require(validatorId < validatorsN, "Invalid validator");
364: require(amount < DIVIDER, "Rate must be less than 100%");
365: _validators[validatorId].commissionRate = amount;
366: emit ValidatorCommissionRateChanged(validatorId, amount);
367: }
setValidatorCommissionRate has the onlyOwner modifier, which means that the function can only be called by the owner.
Impact
This breaks the assumption of the protocol: staking manager can set the commission rate.
nobody2018
medium
setValidatorCommissionRate should be called by staking manager
Summary
In readme.md, it is mentioned that the responsibilities of the staking manager are as follows:
What the owner can do:
These actions of owner do not include setting the validator commission rate.
But the current implementation of
setValidatorCommissionRate
can only be called by the owner. Staking manager doesn't set the validator commission rate.Vulnerability Detail
setValidatorCommissionRate
has theonlyOwner
modifier, which means that the function can only be called by the owner.Impact
This breaks the assumption of the protocol: staking manager can set the commission rate.
Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L362
Tool used
Manual Review
Recommendation
Duplicate of #42