Upgraded Q -> M from #400 [1670236164031]

Judge has assessed an item in Issue #400 as M risk. The relevant finding follows:

L04 - LiquidStakingManager.dao can rug node operators with executeAsSmartWallet()
daoCommissionPercentage is used to calculate the portion of node operator network rewards that are sent to dao, when a node runner is calling claimRewardsAsNodeRunner().

There is no timelock to updateDAORevenueCommission(), meaning a dao can call it with _commissionPercentage = MODULO to set daoCommissionPercentage to 100%, effectively stealing all the network rewards from node runners.

Impact
Centralization risk

Tools Used
Manual Analysis

Mitigation
Consider either adding a timelock to updateDAORevenueCommission(), or add an upper boundary to it, so that daoCommissionPercentage is always reasonable.

The text was updated successfully, but these errors were encountered:

All reactions