Open sherlock-admin2 opened 2 months ago
escalate The README file mentions: link.
According to Sherlock's rules: link.
Therefore, this is a medium.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
As you voice yourself, the admin can change the default validator by re-instantiating and updating to a new version number. While it would be a nicer way to have a separate function for that, the behavior described in the contest description is implemented in code.
Reinstantiation will completely change the context, equivalent to redeploying a contract, which clearly does not align with the logic in the documentation. If creating a new instantiation is the solution to this problem, then I believe it is unnecessary to mention this point in the documentation at all.
According to Sherlock's rules, I think it might be Medium:
"The protocol team can use the README (and only the README) to define language that indicates the codebase's restrictions and/or expected functionality. Issues that break these statements, irrespective of whether the impact is low/unknown, will be assigned Medium severity."
Planning to accept the escalation and make this issue a valid Medium.
Are there any duplicates we need to add?
Result: Medium Unique
Are there any duplicates we need to add?
no
The protocol team fixed this issue in the following PRs/commits: https://github.com/andromedaprotocol/andromeda-core/pull/558
cu5t0mPe0
Medium
the DEFAULTVALIDATOR cannot be changed
Summary
DEFAULTVALIDATOR
can not alter the default staking validatorVulnerability Detail
sherlock docs:
can alter the default staking validator for the validator staking contract
But in reality, validator-staking does not have a function related to
setDEFAULTVALIDATOR
. The only way to modifyDEFAULTVALIDATOR
is to callinstantiate
and reinstantiate a newvalidator-staking
. This contradicts the documentation, so I consider this a Medium issue.Impact
the default staking validator cannot be changed
Code Snippet
https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/bbbf73e5d1e4092ab42ce1f827e33759308d3786/andromeda-core/contracts/finance/andromeda-validator-staking/src/contract.rs#L43
Tool used
Manual Review
Recommendation
Add and modify related functions of
DEFAULTVALIDATOR