Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Tortuga Liquid Staking>Low findings>Centralization risk in minimum delegation amount
GeneralOverview
Findings
Medium (2)
Low (2)Payouts round downCentralization risk
Informational (1)
DiscussionEvolving natureGriefingSimple map griefingIntegration and composabilityResource inconsistency
VerificationFormal verification
Audit ResultsAudit Results
Category: Business Logic

Centralization risk in minimum delegation amount

Low Severity
Low Impact
Medium Likelihood

Description

The set_min_delegation_amount function allows pool owners to set an arbitrary value for the minimum delegation amount without any constraints. So, a pool owner could set the value to the maximum u64, effectively making it impossible for anyone except the owner or protocol to delegate APT to a managed_stake_pool.

public entry fun set_min_delegation_amount(pool_owner: &signer, value: u64) acquires ManagedStakePool {
    let managed_pool_address = signer::address_of(pool_owner);
    let managed_stake_pool = borrow_global_mut<ManagedStakePool>(managed_pool_address);
    managed_stake_pool.min_delegation_amount = value;
}

Impact

A pool owner could set the value to the maximum u64, effectively making it impossible for anyone except the owner or protocol to delegate APT to a managed_stake_pool.

Recommendations

Set a hardcoded maximum value for the min_delegation_amount.

Remediation

Move Labs fixed this issue in commit ef89a88.

Zellic © 2024Back to top ↑