search

sherlock-audit / 2023-11-covalent-judging

3 stars 2 forks source link

Atharv - Missing Require Statement in setValidatorMaxStake function #93

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

Atharv

medium

Missing Require Statement in setValidatorMaxStake function

Summary

Missing Require Statement in setValidatorMaxStake function, no one will be able to enable the validators unless again calling the setValidatorMaxStake function with greater value.

Vulnerability Detail

Code Link In the OperationalStaking.sol::setValidatorMaxStake function we are not checking whether the maximum should be greater than the minimum amount required to enable the validator.

Here 

 uint128 staked = _sharesToTokens(v.stakings[v._address].shares, v.exchangeRate);

We are calculating the staked amount and 

require(staked >= validatorEnableMinStake, "Validator is insufficiently staked");

checking it should be greater than validatorEnableMinStake But validatorMaxStake < validatorEnableMinStake hence transaction will get reverted and we cannot enable the validator.

Impact

Medium

Code Snippet

function setValidatorMaxStake(uint128 maxStake) external onlyOwner {
        require(maxStake > 0, "Provided max stake is 0");
        validatorMaxStake = maxStake;
        emit ValidatorMaxCapChanged(maxStake);
    }

    function setValidatorEnableMinStake(uint128 minStake) public onlyOwner {
        require(minStake <= validatorMaxStake, "minStake cannot be greater than validatorMaxStake");
        validatorEnableMinStake = minStake;
        emit ValidatorEnableMinStakeChanged(minStake);
    }

Tool used

Manual Review

Recommendation


     function setValidatorMaxStake(uint128 maxStake) external onlyOwner {
        require(maxStake > 0, "Provided max stake is 0");
 +      require(maxStake > validatorEnableMinStake );  
        validatorMaxStake = maxStake;
        emit ValidatorMaxCapChanged(maxStake);
    }

    function setValidatorEnableMinStake(uint128 minStake) public onlyOwner {
        require(minStake <= validatorMaxStake, "minStake cannot be greater than validatorMaxStake");
        validatorEnableMinStake = minStake;
        emit ValidatorEnableMinStakeChanged(minStake);
    }
sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid: admin function

noslav commented 7 months ago

fixed by require validator max stake to be > than default validator enable min…

nevillehuang commented 6 months ago

Invalid, trusted admin input error, not valid based on sherlock rules, see point 5.