Skip to content
This repository has been archived by the owner on Dec 29, 2024. It is now read-only.

cu5t0mPe0 - the DEFAULTVALIDATOR cannot be changed #18

Open
sherlock-admin2 opened this issue Jun 23, 2024 · 12 comments
Open

cu5t0mPe0 - the DEFAULTVALIDATOR cannot be changed #18

sherlock-admin2 opened this issue Jun 23, 2024 · 12 comments
Labels
Escalation Resolved This issue's escalations have been approved/rejected Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Jun 23, 2024
edited
Loading

cu5t0mPe0

Medium

the DEFAULTVALIDATOR cannot be changed

Summary

DEFAULTVALIDATOR can not alter the default staking validator

Vulnerability Detail

sherlock docs: can alter the default staking validator for the validator staking contract

But in reality, validator-staking does not have a function related to setDEFAULTVALIDATOR. The only way to modify DEFAULTVALIDATOR is to call instantiate and reinstantiate a new validator-staking. This contradicts the documentation, so I consider this a Medium issue.

Impact

the default staking validator cannot be changed

Code Snippet

https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/bbbf73e5d1e4092ab42ce1f827e33759308d3786/andromeda-core/contracts/finance/andromeda-validator-staking/src/contract.rs#L43

Tool used

Manual Review

Recommendation

Add and modify related functions of DEFAULTVALIDATOR
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jun 28, 2024
@sherlock-admin2 sherlock-admin2 changed the title Flaky Chrome Elephant - the DEFAULTVALIDATOR cannot be changed cu5t0mPe0 - the DEFAULTVALIDATOR cannot be changed Jun 29, 2024
@sherlock-admin2 sherlock-admin2 added the Non-Reward This issue will not receive a payout label Jun 29, 2024
@cu5t0mPeo
Copy link

escalate
The README file mentions: link.

According to Sherlock's rules: link.

Therefore, this is a medium.

@sherlock-admin3
Copy link
Contributor

escalate
The README file mentions: link.

According to Sherlock's rules: link.

Therefore, this is a medium.

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin4 sherlock-admin4 added the Escalated This issue contains a pending escalation label Jun 29, 2024
@J4X-98
Copy link

J4X-98 commented Jul 3, 2024

As you voice yourself, the admin can change the default validator by re-instantiating and updating to a new version number. While it would be a nicer way to have a separate function for that, the behavior described in the contest description is implemented in code.

@cu5t0mPeo
Copy link

Reinstantiation will completely change the context, equivalent to redeploying a contract, which clearly does not align with the logic in the documentation. If creating a new instantiation is the solution to this problem, then I believe it is unnecessary to mention this point in the documentation at all.

@cvetanovv
Copy link

According to Sherlock's rules, I think it might be Medium:

"The protocol team can use the README (and only the README) to define language that indicates the codebase's restrictions and/or expected functionality. Issues that break these statements, irrespective of whether the impact is low/unknown, will be assigned Medium severity."

@cvetanovv
Copy link

Planning to accept the escalation and make this issue a valid Medium.

@WangSecurity WangSecurity added the Medium A valid Medium severity issue label Jul 9, 2024
@WangSecurity
Copy link

Are there any duplicates we need to add?

@WangSecurity
Copy link

WangSecurity commented Jul 9, 2024
edited
Loading

Result:
Medium
Unique

@WangSecurity WangSecurity reopened this Jul 9, 2024
@cu5t0mPeo
Copy link

Are there any duplicates we need to add?

no

@sherlock-admin2
Copy link
Author

sherlock-admin2 commented Jul 10, 2024
edited
Loading

Escalations have been resolved successfully!

Escalation status:

@sherlock-admin2 sherlock-admin2 added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels Jul 10, 2024
@sherlock-admin3 sherlock-admin3 removed the Escalated This issue contains a pending escalation label Jul 10, 2024
@sherlock-admin4 sherlock-admin4 added the Escalation Resolved This issue's escalations have been approved/rejected label Jul 10, 2024
@sherlock-admin2 sherlock-admin2 removed the Excluded Excluded by the judge without consulting the protocol or the senior label Jul 23, 2024
@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Aug 27, 2024
@cowboy0015 cowboy0015 mentioned this issue Sep 6, 2024
Merged
@sherlock-admin2
Copy link
Author

The protocol team fixed this issue in the following PRs/commits:
andromedaprotocol/andromeda-core#558

@cowboy0015 cowboy0015 mentioned this issue Sep 16, 2024
Merged
@bin2chen66
Copy link
Collaborator

fix-reviews note:
andromedaprotocol/andromeda-core#558
This PR adds the method execute_update_default_validator() which modifies the DEFAULTVALIDATOR and can only be executed by the owner.
Fixed this issue

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Escalation Resolved This issue's escalations have been approved/rejected Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@cvetanovv @J4X-98 @bin2chen66 @WangSecurity @sherlock-admin2 @cu5t0mPeo @sherlock-admin3 @sherlock-admin4