The MainRewarder contract has no way to selectively revoke access for a specific extra reward contract. This allows revoked rewards to persist indefinitely.
Vulnerability Detail
The addExtraReward() function allows adding new extra reward contracts. However, there is no functionality to remove a specific contract, only clearExtraRewards() which resets the entire array. Extra rewards can only be added by roles with DV_REWARD_MANAGER_ROLE privileges. It could allow significant manipulation of reward distributions if exploited.
This means revoked extra rewards remain able to distribute rewards indefinitely.
Impact
Malicious extra rewards can exploit persisted access to manipulate rewards even if revoked at the top level.
Summary
The MainRewarder contract has no way to selectively revoke access for a specific extra reward contract. This allows revoked rewards to persist indefinitely.
Vulnerability Detail
The addExtraReward() function allows adding new extra reward contracts. However, there is no functionality to remove a specific contract, only clearExtraRewards() which resets the entire array. Extra rewards can only be added by roles with DV_REWARD_MANAGER_ROLE privileges. It could allow significant manipulation of reward distributions if exploited.
This means revoked extra rewards remain able to distribute rewards indefinitely.
Impact
Malicious extra rewards can exploit persisted access to manipulate rewards even if revoked at the top level.
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/5d8e902ce33981a6506b1b5fb979a084602c6c9a/v2-core-audit-2023-07-14/src/rewarders/MainRewarder.sol#L52C4-L61C6
Adding an extra reward:
https://github.com/sherlock-audit/2023-06-tokemak/blob/5d8e902ce33981a6506b1b5fb979a084602c6c9a/v2-core-audit-2023-07-14/src/rewarders/MainRewarder.sol#L67C5-L71C6
No way to remove a specific reward, only clear all:
Tool used
Manual Review
Recommendation
Add removeExtraReward(address reward) function to allow revoking individual extra rewards.