Assessment reports>Tortuga Liquid Staking>Medium findings>Protocol configurations
Category: Coding Mistakes

Protocol configurations

Medium Severity
Medium Impact
Low Likelihood

Description

The following setter functions configure the protocol but have no input validation: set_min_transaction_amount, set_reward_commission, and set_cooldown_period.

public entry fun set_reward_commission(
    tortuga: &signer,
    value: u64
) acquires StakingStatus {
    let staking_status = borrow_global_mut<StakingStatus>(signer::address_of(tortuga));
    staking_status.reward_commission = value;
}

public entry fun set_cooldown_period(
    tortuga: &signer,
    value: u64
) acquires StakingStatus {
    let staking_status = borrow_global_mut<StakingStatus>(signer::address_of(tortuga));
    staking_status.cooldown_period = value;
}

public entry fun set_min_transaction_apt_amount(
    tortuga: &signer,
    value: u64
) acquires StakingStatus {
    let staking_status = borrow_global_mut<StakingStatus>(signer::address_of(tortuga));
    staking_status.min_transaction_apt_amount = value;
}

Impact

This could pose as a centralization risk and allow impractical configuration values.

For example, setting the minimum transaction amount too high could inhibit new users from entering the protocol, and setting the reward commission too high mistakingly would inhibit validators from being able to acquire reasonable amounts of delegations.

Recommendations

We recommend adding upper bound checks on these functions to allow for a reasonable max threshold.

Remediation

Move Labs fixed this issue in commit ef89a88.

Zellic © 2024Back to top ↑