When the admin removePlugin(), the pluginIndex will be changed, the original one will not be available. Users have fund in those plugins will lose the fund.
Vulnerability Detail
After removePlugin() the original pluginIndex will not be available. The call to claim() will fail due to lack of funds.
141345
high
removePlugin()
will break the claim functionSummary
When the admin
removePlugin()
, thepluginIndex
will be changed, the original one will not be available. Users have fund in those plugins will lose the fund.Vulnerability Detail
After
removePlugin()
the originalpluginIndex
will not be available. The call toclaim()
will fail due to lack of funds.Impact
User's fund could be lost or locked.
Code Snippet
https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/StakingModule.sol#L420-L429
https://github.com/sherlock-audit/2022-11-telcoin/blob/main/contracts/StakingModule.sol#L234-L241
Tool used
Manual Review
Recommendation
Force
claim()
all user's fund before remove any plugin.Duplicate of #73