Committee type validation bypass #334
Description
Description
The committee_map.move module defines three committee types with specific node count requirements:
• FAMILY committees need more than 1 node
• CLAN committees require an odd number of nodes greater than or equal to 3 for Byzantine fault tolerance (2f+1)
• TRIBE committees need node counts in the format 3f+1 with at least 4 nodes
The validate_committee_type() function properly enforces these constraints during committee creation through upsert_committee(). However, the vulnerability exists because member removal operations like
remove_committee_member() do not re-validate committee type constraints after removing nodes. This allows attackers or administrators to create a valid committee that meets type requirements, then systematically remove members until the remaining node count violates the committee type’s fundamental consensus requirements.
This compromises the consensus security and operational integrity of the committee system by
allowing committees to exist in states that violate their declared fault tolerance properties.
Recommendation
Implement committee type re-validation in all member management functions, particularly
remove_committee_member() and remove_committee_bulk(), to ensure that the remaining node
count still satisfies the committee type requirements before allowing the removal operation to
proceed.