search

sherlock-audit / 2023-11-covalent-judging

3 stars 2 forks source link

cergyk - OperationalStaking::setValidatorAddress Validator can bypass validatorMaxStake threshold by setting address to an existing delegator #85

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

cergyk

medium

OperationalStaking::setValidatorAddress Validator can bypass validatorMaxStake threshold by setting address to an existing delegator

Summary

A maximum limitation is checked to ensure that a validator does not stake a too big amount, unfortunately this limitation can be bypassed by setting a new validator address

Vulnerability Detail

We can see that during a call to setValidatorAddress the existing stake for a validator is transferred to the new address: https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L696-L697

And the stake amount is not checked against validatorMaxStake as done during _stake: https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L429

This means that a validator can use delegation from another address to bypass the validatorMaxStake limitation

Impact

A validator can stake more than validatorMaxStake bypassing the security check introduced by the protocol

Code Snippet

Tool used

Manual Review

Recommendation

Ensure the check is called during setValidatorAddress as well:

+ require(v.stakings[newAddress].staked <= validatorMaxStake, "Validator max stake exceeded");

Duplicate of #66

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid: duplicate of issue 066; high(1)