Closed sherlock-admin2 closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid: The lenght of the validatorIDs is controlled by a governance which is considered trusted according to sherlock rules VIII number 4 under "exceptions"
ydlee
medium
Specimen session cannot be finalized if the validator submits the agreed specimen hash has an ID greater than 255.
Summary
When finalize a specimen session, the validators that submit the agreed specimen hash will be tracked in the
validatorBitMap
. But the bitmap is 256 bits at max, if thevalidatorID > 255
, the tracking will revert and the specimen session will not be finalized.Vulnerability Detail
There is no limit to the value of
validatorID
when adding a BSP operator, so it is possible thatvalidatorID
exceeds 255.https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L176-L185
When it comes to finalize a quorum achieved specimen session, a
validatorBitMap
is used to track the validators that submit the agreed specimen. The bitmap can track 256 validators at most, each bit for avalidatorID
. So ifvalidatorID > 255
, the tracking will revert, and the finalization will fail.https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L430-L434
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L441-L463
Impact
Agreed specimen cannot be finalized.
Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L176-L185
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L430-L434
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/BlockSpecimenProofChain.sol#L441-L463
Tool used
Manual Review
Recommendation
Require the validatorID < 256 in
addBSPOperator
.Duplicate of #81