Validators can stake greater than validatorMaxStake
Summary
Validators can change their addresses via OS::setValidatorAddress(), making their stake amount exceeds validatorMaxStake
Vulnerability Detail
Validators should not stake with a value greater than validatorMaxStake, to distribute control over the network and BSP, and to prevent centralization control over the protocol by rich people.
In OS::setValidatorAddress(), the validator can change his address by sending staked tokens and shares to a new address.
If the new address, is already a staker (delegator), it will increase the staked amount of the new validator (old staked + delegator staked).
By taking validatorMaxStake = 350_000e18 and maxCapMultiplier = 10.
If the validator staked the maximum available tokens i.e.350_000e18, and delegated to another address that already has stakes, the validator will have stakes greater than validatorMaxStake parameter.
The more the validator stakes, the more delegators can stake their tokens with him.
So if the validator staked 350_000e18 (max), used another address and staked 350_000e18, then changed the address to the address he staked with, the validator will end up with 700_000e18 staked tokens.
This will not only make the validator stake more than the limit, but also The ValidatorMaxCap will rise from: 3_500_000e18 to 7_000_000e18, allowing the validator to accept more delegates.
And if the validator wants to stake more, he can simply use another address, stake with it, and then change his address to him (again and again without stopping). Making the validator be able to break the validatorMaxStake and maxCapMultiplier checks.
Impact
Validators can break validatorMaxStake and maxCapMultiplier checks.
Al-Qa-qa
medium
Validators can stake greater than
validatorMaxStake
Summary
Validators can change their addresses via
OS::setValidatorAddress()
, making theirstake
amount exceedsvalidatorMaxStake
Vulnerability Detail
Validators should not stake with a value greater than
validatorMaxStake
, to distribute control over the network and BSP, and to prevent centralization control over the protocol by rich people.In
OS::setValidatorAddress()
, the validator can change his address by sending staked tokens and shares to a new address.If the new address, is already a staker (delegator), it will increase the staked amount of the new validator (old staked + delegator staked).
By taking validatorMaxStake =
350_000e18
and maxCapMultiplier =10
.If the validator staked the maximum available tokens i.e.
350_000e18
, and delegated to another address that already has stakes, the validator will have stakes greater thanvalidatorMaxStake
parameter.The more the validator stakes, the more delegators can stake their tokens with him.
So if the validator staked
350_000e18
(max), used another address and staked350_000e18
, then changed the address to the address he staked with, the validator will end up with700_000e18
staked tokens.This will not only make the validator stake more than the limit, but also The
ValidatorMaxCap
will rise from:3_500_000e18
to7_000_000e18
, allowing the validator to accept more delegates.OperationalStaking.sol#L431-L435
$ValidatorMaxCap(max) = validatorMaxStake \times maxCapMultiplier$
$ValidatorMaxCap(max) = 350,000e18 \times 10 = 3,500,000e18$
$ValidatorMaxCap(now) = validator.stake \times maxCapMultiplier$
$ValidatorMaxCap(now) = 700,000e18 \times 10 = 7,000,000e18$
And if the validator wants to stake more, he can simply use another address, stake with it, and then change his address to him (again and again without stopping). Making the validator be able to break the
validatorMaxStake
andmaxCapMultiplier
checks.Impact
Validators can break
validatorMaxStake
andmaxCapMultiplier
checks.Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L697
Tool used
Manual Review + Foundry
Recommendation
Check the new validator staked balance when changing his address.
Duplicate of #66