Platform: Code4rena
Start Date: 03/05/2022
Pot Size: $75,000 USDC
Total HM: 6
Participants: 55
Period: 7 days
Judge: Albert Chon
Total Solo HM: 2
Id: 116
League: COSMOS
Rank: 42/55
Findings: 1
Award: $114.28
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0xDjango, 0xkatana, AmitN, CertoraInc, Dravee, Funen, GermanKuber, GimelSec, Hawkeye, JC, MaratCerby, WatchPug, Waze, broccolirob, cccz, ch13fd357r0y3r, cryptphi, danb, defsec, delfin454000, dipp, dirk_y, ellahi, gzeon, hake, hubble, ilan, jah, jayjonah8, kebabsec, kirk-baird, m9800, orion, oyc_109, robee, shenwilly, simon135, sorrynotsorry
114.279 USDC - $114.28
submitBatch and updateValset states that "anyone can call this function", but there's a check inside that requires sender to be orchestrator.
Modify the comment to "any orchestrator".
verifySig doesn't check for zero addressecrecover returns address zero when it throws error. Anyone can submit address zero as the value of _signer and a fake signature in verifySig and it would return true.
It is unlikely that there will be a validator with address zero. However, if there is, a malicious orchestrator can take advantage of it to stage an attack with reduced cost (as the address zero validator's power can be used by anyone).
Add a check to prevent address zero input before L185.
require(_signer != address(0));
In the constructor there's no zero address check for _validators. A faulty deployment script could include a zero address which reduces the cost of attack by malicious actors when combined with vulnerability #2 described above.
Iterate over _validators to make sure there is no address zero.