You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Anyone can call createMinipool() with nodeID, duration, delegationFee parameters.
The original implementation did not have sanity checks for duration, delegationFee parameters and this could lead to various issues.
C4 issue
M-14: any duration can be passed by node operator
Comments
Anyone can call
createMinipool()
withnodeID, duration, delegationFee
parameters.The original implementation did not have sanity checks for
duration, delegationFee
parameters and this could lead to various issues.recordStakingEnd()
can revert due to overflow.Mitigation
PR #38
Double checked the Avalanche documentation about the requirements for
duration, delegationFee
.The mitigation added new sanity checks as below.
Tests
There were several unreasonable test cases in the original code base (e.g. 0 duration) and these are fixed now. All passing.
Note
There is another issue found in the mitigation for H-04 and it is slightly related to this one.
Conclusion
LGTM
The text was updated successfully, but these errors were encountered: