search

sherlock-audit / 2023-11-covalent-judging

3 stars 2 forks source link

aslanbek - setValidatorAddress allows exceeding the validator and delegator staking caps by 27 times #84

Closed sherlock-admin closed 7 months ago

sherlock-admin commented 7 months ago

aslanbek

medium

setValidatorAddress allows exceeding the validator and delegator staking caps by 27 times

Summary

By design. validators are not allowed to stake more than validatorMaxStake. However, setValidatorAddress allows them to bypass that, as it does not check if the new validator address will have more CQT than validatorMaxStake (which can happen due to their previous stake as a delegator).

Vulnerability Detail

Imagine AliceTheValidator wants to stake 5x validatorMaxStake (or any amount exceeding validatorMaxStake) as a validator, and/or she wants to attract more delegated CQT than validatorMaxStake * maxCapMultiplier. Doing it via stake directly will result in "Validator max stake exceeded" error (as it should), so she needs a workaround.

So she stakes 5x validatorMaxStake as a delegator from another address (alice2), and then from alice1 calls setValidatorAddress(newAddress = alice2) . Now, alice2 is staking 6x validatorMaxStake as a validator. Moreover, her delegator staking limit is also increased by the same multiplier.

Foundry PoC

Impact

Validator and delegator staking caps exceed the intended values by up to maxCapMultiplier times (27x at launch).

Code Snippet

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L696-L697

Tool used

Manual Review

Recommendation

        v.stakings[newAddress].shares += v.stakings[msg.sender].shares;
        v.stakings[newAddress].staked += v.stakings[msg.sender].staked;
+       require(v.stakings[newAddress].staked <= validatorMaxStake);

Duplicate of #66

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid: duplicate of issue 066; high(1)