Wrong access control on setValidatorCommissionRate()
Summary
According to the Sherlock README the Staking manager should be allowed to set the Validator Commission Rate.
What the StakingManager can do: Set the validator commission rate
But the setValidatorCommissionRate() function has the onlyOwner() modifier, which allows only the contract owner to set the commission rate.
Vulnerability Detail
The setValidatorCommissionRate() has the onlyOwner modifier.
function setValidatorCommissionRate(uint128 validatorId, uint128 amount) external onlyOwner {
PUSH0
medium
Wrong access control on setValidatorCommissionRate()
Summary
According to the Sherlock README the Staking manager should be allowed to set the Validator Commission Rate.
What the StakingManager can do: Set the validator commission rate
But the setValidatorCommissionRate() function has the onlyOwner() modifier, which allows only the contract owner to set the commission rate.
Vulnerability Detail
The setValidatorCommissionRate() has the onlyOwner modifier.
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L362
It should use the onlyStakingManager() instead.
Impact
Wrong access control, Staking manager can not change commission rate. This destroys core functionality with no quick fix.
Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L362
Tool used
Manual Review
Recommendation
Change the modifier to allow the Staking Manager to change commission rate.
Duplicate of #42