Changing Validator to an Existing Delegator Might Skew Delegated Value
Summary
If a validator invoked the setValidatorAddress and set it to an existing delegator of that validator, the delegated variable will not be able to be changed, causing it to be inflated indefinitely.
Vulnerability Detail
When the _address variable is changed to an existing delegator, the delegated will not be able to be deducted because the the delegator becomes the validator.
As seen from the _unstake, it checked for whether the msg.sender is equal to v._address,
bool isValidator = msg.sender == v._address;
This line will never be called, as the delegator has now become the validator.
if (!isValidator) {
v.delegated -= effectiveAmount;
}
Consequently, this will affect how much users can actually delegate to this particular validator. As seen from stake, it checks whether the current delegated amount with the addition of amount is lesser than the max cap. With the permanent initial delegated amount, the max delegated will be lesser than the true max cap. This is more significant if the new validator had a huge initial delegated before the transfer.
SadBase
medium
Changing Validator to an Existing Delegator Might Skew Delegated Value
Summary
If a validator invoked the
setValidatorAddress
and set it to an existing delegator of that validator, the delegated variable will not be able to be changed, causing it to be inflated indefinitely.Vulnerability Detail
When the
_address
variable is changed to an existing delegator, thedelegated
will not be able to be deducted because the the delegator becomes the validator.As seen from the
_unstake
, it checked for whether themsg.sender
is equal tov._address
,This line will never be called, as the delegator has now become the validator.
Consequently, this will affect how much users can actually delegate to this particular validator. As seen from stake, it checks whether the current delegated amount with the addition of amount is lesser than the max cap. With the permanent initial delegated amount, the max delegated will be lesser than the true max cap. This is more significant if the new validator had a huge initial delegated before the transfer.
It also affects unstake. If the new validator had a large delegated amount before the change, the validator is unable to unstake
Impact
The inflated data results in users unable to delegate as much and the validator unable to unstake as much as the intended.
Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L689-L711 https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L432-L435 https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L497-L498
PoC
Tool used
Manual Review
Recommendation
Implement additional checks to verify whether the
newAddress
has staked and shares, before transferring over.Duplicate of #66