Suppose a staker has 1 million Aleo credits. In extreme cases, when he finds that the total amount of Delegators of a Valadator node is around 9.99 million, he can stake 20,000 of his 1 million Aleo credits to Validator A. The other 980,000 will be staked to Validator B, and he can unblond 20,000 credits from Validator A at the right time, which will cause others' 9.99 million credits staked to Validator A to have no income within 360 block heights. And at the same time, this may bring his income from 980,000 credits staked to Validator B to be higher, especially in the early days of network launch.
Impact
It doesn't guarantee the stability of income for all Delegators.
Code Snippet
// Check if the delegator will fall below 10,000 bonded credits.
lt r16 10_000_000_000u64 into r17;
// If the validator is forcing the delegator to unbond OR the delegator will fall below 10,000 bonded credits.
or r11 r17 into r18;
// Determine the amount to unbond: requested amount if >= 10,000 credits, otherwise the full bonded amount.
ternary r18 r5.microcredits r2 into r19;
Tool used
Manual Review
Recommendation
A threshold for each Delegator to participate can be set, for example, starting from 500,000. Delegators that do not meet the requirements can participate through ARC0038.
coder-lb
Medium
The delegator can maliciously execute unbond_pulic
Summary
The delegator can maliciously execute unbond_pulic.
Vulnerability Detail
Please see https://github.com/sherlock-audit/2024-05-aleo/blob/main/snarkVM/synthesizer/program/src/resources/credits.aleo#L488
Suppose a staker has 1 million Aleo credits. In extreme cases, when he finds that the total amount of Delegators of a Valadator node is around 9.99 million, he can stake 20,000 of his 1 million Aleo credits to Validator A. The other 980,000 will be staked to Validator B, and he can unblond 20,000 credits from Validator A at the right time, which will cause others' 9.99 million credits staked to Validator A to have no income within 360 block heights. And at the same time, this may bring his income from 980,000 credits staked to Validator B to be higher, especially in the early days of network launch.
Impact
It doesn't guarantee the stability of income for all Delegators.
Code Snippet
Tool used
Manual Review
Recommendation
A threshold for each Delegator to participate can be set, for example, starting from 500,000. Delegators that do not meet the requirements can participate through ARC0038.