cu5t0mPe0 - the DEFAULTVALIDATOR cannot be changed

[sherlock-admin2]

cu5t0mPe0

Medium

the DEFAULTVALIDATOR cannot be changed

Summary

DEFAULTVALIDATOR can not alter the default staking validator

Vulnerability Detail

sherlock docs: can alter the default staking validator for the validator staking contract

But in reality, validator-staking does not have a function related to setDEFAULTVALIDATOR. The only way to modify DEFAULTVALIDATOR is to call instantiate and reinstantiate a new validator-staking. This contradicts the documentation, so I consider this a Medium issue.

Impact

the default staking validator cannot be changed

Code Snippet

https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/bbbf73e5d1e4092ab42ce1f827e33759308d3786/andromeda-core/contracts/finance/andromeda-validator-staking/src/contract.rs#L43

Tool used

Manual Review

Recommendation

Add and modify related functions of DEFAULTVALIDATOR

[cu5t0mPeo]

escalate The README file mentions: link.

According to Sherlock's rules: link.

Therefore, this is a medium.

[sherlock-admin3]

escalate The README file mentions: link.

According to Sherlock's rules: link.

Therefore, this is a medium.

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[J4X-98]

As you voice yourself, the admin can change the default validator by re-instantiating and updating to a new version number. While it would be a nicer way to have a separate function for that, the behavior described in the contest description is implemented in code.

[cu5t0mPeo]

Reinstantiation will completely change the context, equivalent to redeploying a contract, which clearly does not align with the logic in the documentation. If creating a new instantiation is the solution to this problem, then I believe it is unnecessary to mention this point in the documentation at all.

[cvetanovv]

According to Sherlock's rules, I think it might be Medium:

"The protocol team can use the README (and only the README) to define language that indicates the codebase's restrictions and/or expected functionality. Issues that break these statements, irrespective of whether the impact is low/unknown, will be assigned Medium severity."

[cvetanovv]

Planning to accept the escalation and make this issue a valid Medium.

[WangSecurity]

Are there any duplicates we need to add?

[WangSecurity]

Result: Medium Unique

[cu5t0mPeo]

Are there any duplicates we need to add?

no

[sherlock-admin2]

Escalations have been resolved successfully!

Escalation status:

• cu5t0mPeo: accepted

[sherlock-admin2]

The protocol team fixed this issue in the following PRs/commits: https://github.com/andromedaprotocol/andromeda-core/pull/558