Skip to content

fix(validator): use index instead of address in changeValidatorStatus to prevent front-running#2188

Merged
fgimenez merged 3 commits intomainfrom
fgimenez/zellic-24
Jan 21, 2026
Merged

fix(validator): use index instead of address in changeValidatorStatus to prevent front-running#2188
fgimenez merged 3 commits intomainfrom
fgimenez/zellic-24

Conversation

@fgimenez
Copy link
Copy Markdown
Member

@fgimenez fgimenez commented Jan 20, 2026

Closes ZELLIC-24

Fixes a front-running vulnerability in changeValidatorStatus by using validator index instead of address. A malicious validator could front-run the owner's changeValidatorStatus(validatorAddress, false) call by first calling rotateValidator to change their address, causing the owner's deactivation to fail.

Changed changeValidatorStatus to accept a uint64 index parameter instead of address validator. Since validator indices are stable positions in the array, the owner can now reliably deactivate validators regardless of address rotations.

@fgimenez fgimenez added the C-security Issue or pull request related to security label Jan 20, 2026
@fgimenez fgimenez requested a review from SuperFluffy as a code owner January 20, 2026 18:32
@fgimenez fgimenez added A-precompile Related to precompiles A-consensus-infra Related to consensus C-audit labels Jan 20, 2026
0xrusowsky
0xrusowsky reviewed Jan 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@0xrusowsky 0xrusowsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

on the rust impl, shouldn't we add a new function with the new type, and update the dispatcher to gatekeep this under T1?

this would be a breaking change if we have already called this fn

@fgimenez
Copy link
Copy Markdown
Member Author

fgimenez commented Jan 21, 2026

on the rust impl, shouldn't we add a new function with the new type, and update the dispatcher to gatekeep this under T1?

this would be a breaking change if we have already called this fn

@0xrusowsky good point, done here 9caf70c ptal

@fgimenez fgimenez enabled auto-merge January 21, 2026 19:48
@fgimenez fgimenez added this pull request to the merge queue Jan 21, 2026
Merged via the queue into main with commit 471c1ce Jan 21, 2026
18 checks passed
@fgimenez fgimenez deleted the fgimenez/zellic-24 branch January 21, 2026 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0xrusowsky 0xrusowsky 0xrusowsky approved these changes

@legion2002 legion2002 Awaiting requested review from legion2002 legion2002 is a code owner

@howydev howydev Awaiting requested review from howydev

@0xKitsune 0xKitsune Awaiting requested review from 0xKitsune 0xKitsune is a code owner

@klkvr klkvr Awaiting requested review from klkvr klkvr is a code owner

@mattsse mattsse Awaiting requested review from mattsse mattsse is a code owner

@joshieDo joshieDo Awaiting requested review from joshieDo joshieDo is a code owner

@SuperFluffy SuperFluffy Awaiting requested review from SuperFluffy SuperFluffy is a code owner

@danrobinson danrobinson Awaiting requested review from danrobinson danrobinson is a code owner

@dankrad dankrad Awaiting requested review from dankrad dankrad is a code owner

Assignees

No one assigned

Labels

A-consensus-infra Related to consensus A-precompile Related to precompiles C-security Issue or pull request related to security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fgimenez @0xrusowsky