Summary
Inside Polkadot/Substrate Portal validator commission input field is limited to an integer value while the creditcoin-cli command expects a float value. This misleads reporter to think that creditcoin-cli isn't validating input values correctly.
Details
While Polkadot/Substrate Portal limits validator comission input field to an integer value it actually displays the value as a float:
In other cases, e.g. Staking Pool commission in Creditcoin Staking Dashboard, comission input is also a float number:
The underlying API call is pallet_staking::Pallet::validate, where the field ValidatorPrefs::commission is represented as the Parts per Billion data type. This is a fixed point representation of a fractional (non-integer) number in the range [0, 1].
Fixed-point computation with fractional values is a well-known technique in computer science often used because it can be faster and/or use less hardware resources or retain better precision than directly using floating-point computation.
The Creditcoin blockchain team takes the stance that there is no real bug or vulnerability here and that the creditcoin-cli command is working as it was designed to.
Impact
None
Credits
Originally disclosed by dobermann-pinscher at https://huntr.com/bounties/7773da6e-7be2-484b-85a4-28441fcbef11/
Summary
Inside Polkadot/Substrate Portal validator commission input field is limited to an integer value while the
creditcoin-clicommand expects a float value. This misleads reporter to think thatcreditcoin-cliisn't validating input values correctly.Details
While Polkadot/Substrate Portal limits validator comission input field to an integer value it actually displays the value as a float:
In other cases, e.g. Staking Pool commission in Creditcoin Staking Dashboard, comission input is also a float number:
The underlying API call is pallet_staking::Pallet::validate, where the field ValidatorPrefs::commission is represented as the Parts per Billion data type. This is a fixed point representation of a fractional (non-integer) number in the range [0, 1].
Fixed-point computation with fractional values is a well-known technique in computer science often used because it can be faster and/or use less hardware resources or retain better precision than directly using floating-point computation.
The Creditcoin blockchain team takes the stance that there is no real bug or vulnerability here and that the
creditcoin-clicommand is working as it was designed to.Impact
None
Credits
Originally disclosed by dobermann-pinscher at https://huntr.com/bounties/7773da6e-7be2-484b-85a4-28441fcbef11/