Summary

Anyone can register to become a validator in the registry, the issue tho is that there is no lock so users can submit a validation and withdraw their funds in the same transaction and as their is no lock, there is no slash so validators are not disencentivized from submitting bad scores

Vulnerability Details

A malicious validator could

create a contract that registers, validates , unregisters then sends back the tokens it received back to the contract that created it

The user would have already done the pow off chain and will create the contracts using create2, to as the sender address is necessary when validating the pow so they would need to have the validator/caller address before hand

inside the factory contract, use a for loop to create as many validator contracts as possible and take all the validator fees for themselves while still submitting bad scores for generators

so assuming the validation deposit is 1eth, an actor could use that one eth to validate multiple times with several addresses by simply unregistering after making each validation

Impact

A malicious user could claim all the validator fees and could do so griefing honest generators and benefitting malicious ones

Tools Used

manual analysis

Recommendations

malicious generators and validators should be subject to slashing