amshirif
commented
1 year ago https://github.com/telcoin/telcoin-staking/pull/6 Some changes regarding rescueERC made in separate pull
Closed sherlock-admin closed 1 year ago
amshirif
commented
1 year ago https://github.com/telcoin/telcoin-staking/pull/6 Some changes regarding rescueERC made in separate pull
hrishibhat
commented
1 year ago Input validation suggestion for a function with trusted role access. Considering as low.
ctf-sec
commented
1 year ago Escalate for 1 USDC.
The function below is also in the control of onlyOwner so I think adding validating msg.value is equal to amount is also a input validation suggestion. If issue 76 is valid and eligible for a reward, then this issue should be eligible for the reward as well.
function submit(address wallet, bytes memory walletData, address token, address recipient, uint256 amount, bytes memory swapData) external override payable onlyOwner() returns (bool) {https://github.com/sherlock-audit/2022-11-telcoin-judging/issues/76
Also, Sherlock has been rewarding the same finding here:
https://github.com/sherlock-audit/2022-10-mycelium-judging/tree/main/010-M
So I think this issue should be considered as a valid one.
Thanks.
sherlock-admin
commented
1 year ago Escalate for 1 USDC.
The function below is also in the control of onlyOwner so I think adding validating msg.value is equal to amount is also a input validation suggestion. If issue 76 is valid and eligible for a reward, then this issue should be eligible for the reward as well.
function submit(address wallet, bytes memory walletData, address token, address recipient, uint256 amount, bytes memory swapData) external override payable onlyOwner() returns (bool) {https://github.com/sherlock-audit/2022-11-telcoin-judging/issues/76
Also, Sherlock has been rewarding the same finding here:
https://github.com/sherlock-audit/2022-10-mycelium-judging/tree/main/010-M
So I think this issue should be considered as a valid one.
Thanks.
You've created a valid escalation for 1 USDC!
To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
gguney
commented
1 year ago Escalate for 5 USDC My https://github.com/sherlock-audit/2022-11-telcoin-judging/issues/49 issue was marked as duplicate of this issue. This issue is confirmed but mine was ignored.
sherlock-admin
commented
1 year ago Escalate for 5 USDC My https://github.com/sherlock-audit/2022-11-telcoin-judging/issues/49 issue was marked as duplicate of this issue. This issue is confirmed but mine was ignored.
You've created a valid escalation for 5 USDC!
To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
hrishibhat
commented
1 year ago Escalation rejected
So addplugin in mycelium is medium severity as there is a risk of irreversible damage because of external function calls on the contract. In this case, there are no external calls so plugins can always be removed.
sherlock-admin
commented
1 year ago Escalation rejected
So addplugin in mycelium is medium severity as there is a risk of irreversible damage because of external function calls on the contract. In this case, there are no external calls so plugins can always be removed.
This issue's escalations have been rejected!
Watsons who escalated this issue will have their escalation amount deducted from their next payout.
hansfriese
medium
Plugin need to be checked on addition
Summary
The plugin should be checked if it implemented the
IPluginwhen it is newly added. NOTE: This report contains a few other low-level issues as well and the sponsor encouraged sending them grouped as a Med level.Vulnerability Detail
The function
addPluginatStakingModule.sol#L409does not check if the newpluginimplemented theIPlugininterface. Because major functions iterates allpluginsfor various purposes, a wrongpluginwill make the whole protocol broken. Although this function is restricted toPLUGIN_EDITOR_ROLEonly and it is possible to fix by removing the wrong plugin, I rate this as a medium level vulnerability because it has a critical effect and the role is not a strict admin role.Some other low-level issues
rescueERC20function atFeeBuyback.sol#L94always returntruewhile it is supposed to returntrueonly when the transfer succeeds from the comments.StakingModule.sol#L378, the protocol always emitsStakeChangedevents while it is supposed to be emitted only whenoldStake != newStake.StakingModule.sol#L60, the functioninitializeis declared aspayableand I don't see any reasons for that.SimplePlugin.sol#L150, the functionsetIncreaserdoes not check if thenewIncreaseris different from the currentincreaserand an unnecessary event will be emitted.Impact
TEL coins can be stuck in plugins and it is even possible that they are forgotten.
Code Snippet
https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/StakingModule.sol#L409 https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/fee-buyback/FeeBuyback.sol#L94 https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/StakingModule.sol#L378 https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/StakingModule.sol#L60 https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/SimplePlugin.sol#L150
Tool used
Manual Review
Recommendation
addPlugin.rescueERC20ofFeeBuyback.sol.oldStake!=newStakeatStakingModule.sol#L378.payablekeyword from theStakingModuleinitializer.newIncreaseris different from the currentincreaseratSimplePlugin.sol#L150.