Closed sherlock-admin closed 1 year ago
https://github.com/telcoin/telcoin-staking/pull/6 Some changes regarding rescueERC made in separate pull
Input validation suggestion for a function with trusted role access. Considering as low.
Escalate for 1 USDC.
The function below is also in the control of onlyOwner so I think adding validating msg.value is equal to amount is also a input validation suggestion. If issue 76 is valid and eligible for a reward, then this issue should be eligible for the reward as well.
function submit(address wallet, bytes memory walletData, address token, address recipient, uint256 amount, bytes memory swapData) external override payable onlyOwner() returns (bool) {
https://github.com/sherlock-audit/2022-11-telcoin-judging/issues/76
Also, Sherlock has been rewarding the same finding here:
https://github.com/sherlock-audit/2022-10-mycelium-judging/tree/main/010-M
So I think this issue should be considered as a valid one.
Thanks.
Escalate for 1 USDC.
The function below is also in the control of onlyOwner so I think adding validating msg.value is equal to amount is also a input validation suggestion. If issue 76 is valid and eligible for a reward, then this issue should be eligible for the reward as well.
function submit(address wallet, bytes memory walletData, address token, address recipient, uint256 amount, bytes memory swapData) external override payable onlyOwner() returns (bool) {
https://github.com/sherlock-audit/2022-11-telcoin-judging/issues/76
Also, Sherlock has been rewarding the same finding here:
https://github.com/sherlock-audit/2022-10-mycelium-judging/tree/main/010-M
So I think this issue should be considered as a valid one.
Thanks.
You've created a valid escalation for 1 USDC!
To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Escalate for 5 USDC My https://github.com/sherlock-audit/2022-11-telcoin-judging/issues/49 issue was marked as duplicate of this issue. This issue is confirmed but mine was ignored.
Escalate for 5 USDC My https://github.com/sherlock-audit/2022-11-telcoin-judging/issues/49 issue was marked as duplicate of this issue. This issue is confirmed but mine was ignored.
You've created a valid escalation for 5 USDC!
To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Escalation rejected
So addplugin in mycelium is medium severity as there is a risk of irreversible damage because of external function calls on the contract. In this case, there are no external calls so plugins can always be removed.
Escalation rejected
So addplugin in mycelium is medium severity as there is a risk of irreversible damage because of external function calls on the contract. In this case, there are no external calls so plugins can always be removed.
This issue's escalations have been rejected!
Watsons who escalated this issue will have their escalation amount deducted from their next payout.
hansfriese
medium
Plugin need to be checked on addition
Summary
The plugin should be checked if it implemented the
IPlugin
when it is newly added. NOTE: This report contains a few other low-level issues as well and the sponsor encouraged sending them grouped as a Med level.Vulnerability Detail
The function
addPlugin
atStakingModule.sol#L409
does not check if the newplugin
implemented theIPlugin
interface. Because major functions iterates allplugins
for various purposes, a wrongplugin
will make the whole protocol broken. Although this function is restricted toPLUGIN_EDITOR_ROLE
only and it is possible to fix by removing the wrong plugin, I rate this as a medium level vulnerability because it has a critical effect and the role is not a strict admin role.Some other low-level issues
rescueERC20
function atFeeBuyback.sol#L94
always returntrue
while it is supposed to returntrue
only when the transfer succeeds from the comments.StakingModule.sol#L378
, the protocol always emitsStakeChanged
events while it is supposed to be emitted only whenoldStake != newStake
.StakingModule.sol#L60
, the functioninitialize
is declared aspayable
and I don't see any reasons for that.SimplePlugin.sol#L150
, the functionsetIncreaser
does not check if thenewIncreaser
is different from the currentincreaser
and an unnecessary event will be emitted.Impact
TEL coins can be stuck in plugins and it is even possible that they are forgotten.
Code Snippet
https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/StakingModule.sol#L409 https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/fee-buyback/FeeBuyback.sol#L94 https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/StakingModule.sol#L378 https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/StakingModule.sol#L60 https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/SimplePlugin.sol#L150
Tool used
Manual Review
Recommendation
addPlugin
.rescueERC20
ofFeeBuyback.sol
.oldStake!=newStake
atStakingModule.sol#L378
.payable
keyword from theStakingModule
initializer.newIncreaser
is different from the currentincreaser
atSimplePlugin.sol#L150
.