sherlock-admin2
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Closed sherlock-admin2 closed 7 months ago
sherlock-admin2
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
nevillehuang
commented
6 months ago Invalid, getValidatorCompoundedStakingData() is a view function not used anywhere else throughout the codebase. disableValidator() and enableValidator() are permissioned functions so admins are trusted to input appropriate inputs and is invalid based on sherlock rules, see point 5.
Damiclone
medium
Numerous Unchecked Inputs can lead to malfunctioning of protocol
Summary
Some inputs are unchecked which can lead to adverse effect in the protocol
Vulnerability Detail
Throughout the codebase, there are places where a proper input/output validation is lacking. In particular:
getValidatorCompoundedStakingDatafunction inOperationalStaking.soldoesnt check if thevalidatorIdpassed is correct/valid just as they've been checking from other functions (require(validatorId < validatorsN, "Invalid validator");)disableValidatorfunction in BlockResultProofChain.sol doesn't confirm if thevalidatorIdpassed in is correct and secondly, doesnt check if the validator is "currently enabled"enableValidatorfunction in BlockResultProofChain.sol doesn't confirm if thevalidatorIdpassed in is correct and secondly, doesnt check if the validator is "currently disabled"Impact
A lack of validation on parameters may result in erroneous or failing transactions that are difficult to debug. To avoid errors, wasting of protocol resources and unexpected system behavior, consider implementing require statements to validate all inputs as advised.
Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L803C14-L803C47
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockResultProofChain.sol#L146
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockResultProofChain.sol#L156
Tool used
Intense staring at the codebase
Recommendation
getValidatorCompoundedStakingData, make sure input is checked i.erequire(validatorId < validatorsN, "Invalid validator");disableValidator, confirm that validator is currently enabled and validatorId is valid i.erequire(validatorId < validatorsN, "Invalid validator");require(_validatorEnabled[validatorId], "Validator is disabled already")enableValidator, confirm that validator is currently disabled and validatorId is valid i.erequire(validatorId < validatorsN, "Invalid validator");require(!_validatorEnabled[validatorId], "Validator is enabled already")