search

Phoenix-Protocol-Group / phoenix-contracts

Source code of the smart contracts of the Phoenix DeFi hub DEX protocol
GNU General Public License v3.0
10 stars 6 forks source link

[V-PHX-VUL-009] Any user can DoS important functionality of the stake contract #209

Closed gangov closed 7 months ago

gangov commented 7 months ago

file: contracts/stake/src/contract.rs location: create_distribution_flow

Some important functions in the stake contract, such as the bond and distribute_rewards functions, iterate over all the distributions recorded in the contract:

for distribution_address in get_distributions(&env) { 
    .....
}

for loop found in the logic of functions such as bond and distribute_rewards. It loops over all the distributions created.

The create_distribution_flow function is used to create a new distribution, appending it to the vector of distributions. Currently, this function lacks any access control (only requiring the sender’s authorization), allowing any user to create any number of distributions.

Impact: A malicious user can DoS important functionality of the stake contract by creating distributions at its discretion.

Recommendation: The creation of distributions should have access control.

gangov commented 7 months ago

we need to keep the manager's Address during the stake contract initialization.

That way whenever someone creates a distribution flow via create_distribution_flow(env: Env, sender: Address, asset: Address) we check if sender == manager || sender == factory.address