sudeepdino008
commented
9 months ago - if the operator submits the same blockHash, specimenHash duo, there is a revert.
require(specimenHashParticipants[k] != msg.sender, "Operator already submitted for the provided block hash");
- different submissions for (blockHash, specimenHash) is allowed upto a limit.
sherlock-admin2
cergyk
high
BlockSpecimenProofChain::submitBlockSpecimenProof Block specimen producers may submit the same specimen multiple times and force quorum
Summary
Block specimen producers are incentivized to submit valid data representing blocks to the
BlockSpecimenProofChaincontract. However there is no check to ensure that a producer sends data only once, thus a malicious producer may send the same invalid block multiple times, forcing the contract to accept it as valid.Vulnerability Detail
In the implementation of
submitBlockSpecimenProof: https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L328-L392There is no check to ensure that it is called only once per session by a
BlockSpecimenProducer. Also since the roleBlockSpecimenProduceris not actually a privileged role and is accessible by staking CQT as can be seen on this doc page: https://www.covalenthq.com/docs/covalent-network/operator-onboarding-bsp/We can assume that it can operate maliciously under certain conditions (for example if it is possible to extract profit from producing a false block specimen).
Impact
A malicious block specimen producer can force the contract to accept a wrong block for a given block height
Code Snippet
Tool used
Manual Review
Recommendation
Add a check to ensure that the function cannot be called multiple times for a given chain and block height by a validator:
Duplicate of #16