Closed sherlock-admin closed 1 year ago
As mentioned in the issue
User funds are frozen within the plugin removed with no means to access them until the plugin is added back.
In the event of it happening, It could only result in funds being held temporarily.
hyh
medium
Plugin removal can freeze user funds
Summary
There are no checks that plugin being removed doesn't hold meaningful funds claimable. As users don't have direct access to plugins the removal means losing the access to the funds within.
Vulnerability Detail
Users access plugins via StakingModule, which tracks the list of active ones. If a plugin holds funds, but is removed from StakingModule's list, the users will lose the access to these funds.
Impact
User funds are frozen within the plugin removed with no means to access them until the plugin be added back.
This can be a permanent freeze, but setting severity to be medium due to prerequisites.
Code Snippet
StakingModule#removePlugin() doesn't check if there are funds left with it:
https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/StakingModule.sol#L419-L429
If a plugin with positive totalClaimable() is removed this way, the corresponding funds of the users become inaccessible for them as plugins can interact only with StakingModule.
Citing claiming functions as an example:
https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/StakingModule.sol#L262-L281
https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/StakingModule.sol#L234-L252
Tool used
Manual Review
Recommendation
Consider adding the control for plugin to be empty (say up to some threshold to avoid dust amounts interfering with the workflow), for example:
https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/StakingModule.sol#L419-L429