OperationalStaking::setValidatorAddress Validator can bypass validatorMaxStake threshold by setting address to an existing delegator
Summary
A maximum limitation is checked to ensure that a validator does not stake a too big amount, unfortunately this limitation can be bypassed by setting a new validator address
cergyk
medium
OperationalStaking::setValidatorAddress Validator can bypass validatorMaxStake threshold by setting address to an existing delegator
Summary
A maximum limitation is checked to ensure that a validator does not stake a too big amount, unfortunately this limitation can be bypassed by setting a new validator address
Vulnerability Detail
We can see that during a call to
setValidatorAddress
the existing stake for a validator is transferred to the new address: https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L696-L697And the stake amount is not checked against
validatorMaxStake
as done during _stake: https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L429This means that a validator can use delegation from another address to bypass the
validatorMaxStake
limitationImpact
A validator can stake more than
validatorMaxStake
bypassing the security check introduced by the protocolCode Snippet
Tool used
Manual Review
Recommendation
Ensure the check is called during
setValidatorAddress
as well:Duplicate of #66