Closed gangov closed 7 months ago
we need to keep the manager's Address
during the stake contract initialization.
That way whenever someone creates a distribution flow via create_distribution_flow(env: Env, sender: Address, asset: Address)
we check if sender == manager || sender == factory.address
file: contracts/stake/src/contract.rs location: create_distribution_flow
Some important functions in the stake contract, such as the
bond
anddistribute_rewards
functions, iterate over all the distributions recorded in the contract:for loop found in the logic of functions such as bond and distribute_rewards. It loops over all the distributions created.
The
create_distribution_flow
function is used to create a new distribution, appending it to the vector of distributions. Currently, this function lacks any access control (only requiring the sender’s authorization), allowing any user to create any number of distributions.Impact: A malicious user can DoS important functionality of the stake contract by creating distributions at its discretion.
Recommendation: The creation of distributions should have access control.