sherlock-admin2
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid: admin function
Closed sherlock-admin2 closed 7 months ago
sherlock-admin2
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid: admin function
PUSH0
medium
Wrong access control on setValidatorCommissionRate()
Summary
According to the Sherlock README the Staking manager should be allowed to set the Validator Commission Rate.
What the StakingManager can do: Set the validator commission rateBut the setValidatorCommissionRate() function has the onlyOwner() modifier, which allows only the contract owner to set the commission rate.
Vulnerability Detail
The setValidatorCommissionRate() has the onlyOwner modifier.
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L362
It should use the onlyStakingManager() instead.
Impact
Wrong access control, Staking manager can not change commission rate. This destroys core functionality with no quick fix.
Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L362
Tool used
Manual Review
Recommendation
Change the modifier to allow the Staking Manager to change commission rate.
Duplicate of #42