The missing validation in _uninstallValidator
can lead to the corruption of the linked list. Specifically, if the prev
address provided does not correctly point to the validator
to be removed, the linked list structure will be broken. This can result in:
Inability to correctly traverse the list.
Incorrect data being returned by functions that rely on the list, such as getValidatorsPaginated
.
The ModuleManager
contract manages various modules, including validators, using a linked list structure provided by the SentinelListLib
library. The _uninstallValidator
function is responsible for removing a validator from this list. However, since the prev
address in the provided data can be freely set, a validation should be done to ensure the integrity of the linked list after the removal of the validator. If a wrong prev address is provided, because of the missing check, the linked list will be broken.
Example:
Assume the linked list of validators is as follows: SENTINEL -> Validator1 -> Validator2 -> Validator3 -> SENTINEL
.
A call to _uninstallValidator
is made with prev
= Validator1
and validator
= Validator3
.
The function does not check if validators.getNext(Validator1)
equals Validator3
.
The pop
function is called, which sets self.entries[Validator1]
to self.entries[Validator3]
, effectively incorrectly removing Validator2
from the list and corrupting the structure.
The resulting list will look like: SENTINEL -> Validator1 -> SENTINEL
, with Validator2
incorrectly removed.
Relevant code:
Add a validation step to ensure that validators.getNext(prev)
equals validator
before proceeding with the removal. This ensures that the prev
address correctly points to the validator
to be removed, maintaining the integrity of the linked list.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.