Validator can maliciously set the commission percentage in bond_validator
Summary
Validator can maliciously set the commission percentage in bond_validator
Vulnerability Detail
In https://github.com/sherlock-audit/2024-05-aleo/blob/main/snarkVM/synthesizer/program/src/resources/credits.aleo#L165
Before the Validator's address becomes a real Validator, the Staker does not know what the commission percentage set by the Validator is when executing bond_public? If the commission percentage set during bond_validator is 100%, the Staker can only perform the unbond operation, which will cause the Staker to lose 360+% of its income, which is obviously unfair to the Staker. At the same time, if there are multiple candidate Validators, how do I choose the candidate Validator with the lowest commission percentage?
Impact
Staker cannot accurately and effectively select the appropriate Validator
Code Snippet
function bond_validator:
// Input the withdrawal address.
input r0 as address.public;
// Input the amount of microcredits to bond.
input r1 as u64.public;
// Input the commission percentage.
input r2 as u8.public;
Tool used
Manual Review
Recommendation
Provide a method for candidate validators to announce their commission percentages. If adjustments are needed, they need to take effect after a certain period, for example, after 1800 blocks.
wl
Medium
Validator can maliciously set the commission percentage in bond_validator
Summary
Validator can maliciously set the commission percentage in bond_validator
Vulnerability Detail
In https://github.com/sherlock-audit/2024-05-aleo/blob/main/snarkVM/synthesizer/program/src/resources/credits.aleo#L165 Before the Validator's address becomes a real Validator, the Staker does not know what the commission percentage set by the Validator is when executing bond_public? If the commission percentage set during bond_validator is 100%, the Staker can only perform the unbond operation, which will cause the Staker to lose 360+% of its income, which is obviously unfair to the Staker. At the same time, if there are multiple candidate Validators, how do I choose the candidate Validator with the lowest commission percentage?
Impact
Staker cannot accurately and effectively select the appropriate Validator
Code Snippet
Tool used
Manual Review
Recommendation
Provide a method for candidate validators to announce their commission percentages. If adjustments are needed, they need to take effect after a certain period, for example, after 1800 blocks.