The new broker pallet, responsible for handling the Coretime procurement logic, had a vulnerability that allowed users to assign Coretime they no longer owned. This is, obviously, quite problematic. The issue is described in more detail here: https://github.com/paritytech/polkadot-sdk/pull/2811 This is a small tip request for finding reporting and fixing the issue.

amount

beneficiary

Executed

Submitted

DecisionStarted

DecisionDepositPlaced

ConfirmStarted

Confirmed

small_tipper

Finding and fixing a vulnerability in broker-pallet

root

whitelisted_caller

wish_for_change

staking_admin

treasurer

lease_admin

fellowship_admin

general_admin

auction_admin

referendum_canceller

referendum_killer

big_tipper

small_spender

medium_spender

big_spender

Origin able to dispatch a whitelisted call.

Origin for signaling that the network wishes for some change

Origin able to cancel slashes and manage minimum commission.

Origin for spending up to 10,000,000 DOT from the treasury as well as generally administering it.

Origin for managing the composition of the fellowship.

Origin able to spend around 250 DOT from the treasury at once.

Origin able to spend around 1,000 DOT from the treasury at once.

Origin able to spend around 10,000 DOT from the treasury at once.

Origin able to spend around 100,000 DOT from the treasury at once.

Origin able to spend up to 1,000,000 DOT from the treasury at once.