Anyone can redeem any delegator's or validator's reward

Summary

There is no beneficiary address check in the _redeemRewards function makes all rewards accessible for anyone.

Vulnerability Detail

Attackers can call the redeemAllRewards or redeemRewards function and specify their address as the beneficiary address, with any validatorId. There are no restrictions on the beneficiary address, which means that anyone could potentially steal all of the rewards.

Impact

Anyone can redeem any delegator's or validator's reward.

Code Snippet

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L589-L635 https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L577-L579 https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L584-L587

Tool used

Manual Review

Recommendation

Add this line like in the function redeemCommission.

    function _redeemRewards(uint128 validatorId, address beneficiary, uint128 amount) internal {
        require(validatorId < validatorsN, "Invalid validator");
        require(beneficiary != address(0x0), "Invalid beneficiary");
        Validator storage v = _validators[validatorId];
        Staking storage s = v.stakings[msg.sender];
+       require(v._address == msg.sender, "The sender is not the validator");
        require(!v.frozen, "Validator is frozen");

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid: msg.sender is in place at line 593 to ensure its the validator.

nevillehuang commented 6 months ago

Invalid, msg.sender is used to retrieve staking information, so user cannot arbitrarily claim other stakers rewards.

sherlock-audit / 2023-11-covalent-judging

emrekocak - Anyone can redeem any delegator's or validator's reward #90