Rea - Improper input validation on updateSequencerSetMaxSize()

[sherlock-admin2]

Rea

Medium

Improper input validation on updateSequencerSetMaxSize()

Summary

The updateSequencerSetMaxSize() function does not check for extreme values for the new sequencer set size.

Line of code

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l2/staking/L2Staking.sol#L221

Root Cause

The updateSequencerSetMaxSize() function lacks input validation, allowing a malicious actor to set the sequencer set size to extreme values disrupting protocol operations

Internal pre-conditions

1. The owner must call updateSequencerSetMaxSize() with a arbitrary value
2. There is no upper or lower bound for the sequencer set size, enabling values like 0 to 1,000

External pre-conditions

The attacker must either control the owner account or be able to influence the governance mechanism that controls this function

Attack Path

1. The attacker, controlling the owner account, calls updateSequencerSetMaxSize() with a value of 0, halting sequencer operations
2. Alternatively, the attacker sets the value to 1,000, drastically increasing the number of sequencers and reducing efficiency

Impact

• If value is set to 0, the protocol halts, leading to a complete loss of transaction processing ability. Potential loss: $500,000 in transaction fees and staking rewards over a week
• If the value is set too high, transaction confirmation times increase due to inefficiency, causing user frustration and eventual exit from platform

PoC

No response

Mitigation

Introduce input validation with reasonable bounds for the sequencer set size, e.g., between 10 and 100, to prevent extreme values