Description
initialize only rejects bond_amount <= 0 and challenge_window_secs == 0. There is no upper bound on either. An admin typo, such as a window of billions of seconds, is unguarded, and a very large window compounds the storage TTL gap tracked in #1.
Steps to reproduce
- Call
initialize with an extremely large challenge_window_secs, e.g. u64::MAX.
- Observe it succeeds.
Expected behavior
Either a sane upper bound is enforced, or the risk is explicitly documented for integrators and admins choosing these parameters.
Actual behavior
Any positive bond_amount and any non-zero challenge_window_secs is accepted, with no sanity ceiling.
Environment
- Network: testnet / local
- Contract: tholos
- Commit or tag: v0.2.0
Possible impact
Combined with #1, an unbounded challenge window increases the chance of a persistent storage entry expiring before it's acted on.
Description
initializeonly rejectsbond_amount <= 0andchallenge_window_secs == 0. There is no upper bound on either. An admin typo, such as a window of billions of seconds, is unguarded, and a very large window compounds the storage TTL gap tracked in #1.Steps to reproduce
initializewith an extremely largechallenge_window_secs, e.g.u64::MAX.Expected behavior
Either a sane upper bound is enforced, or the risk is explicitly documented for integrators and admins choosing these parameters.
Actual behavior
Any positive
bond_amountand any non-zerochallenge_window_secsis accepted, with no sanity ceiling.Environment
Possible impact
Combined with #1, an unbounded challenge window increases the chance of a persistent storage entry expiring before it's acted on.