sherlock-audit / 2023-06-tokemak

0 stars 1 forks source link

Inability to Revoke Extra Reward Contracts Individually in MainRewarder #1

Open MrViNC3R3 opened 1 year ago

MrViNC3R3 commented 1 year ago

Summary

The MainRewarder contract has no way to selectively revoke access for a specific extra reward contract. This allows revoked rewards to persist indefinitely.

Vulnerability Detail

The addExtraReward() function allows adding new extra reward contracts. However, there is no functionality to remove a specific contract, only clearExtraRewards() which resets the entire array. Extra rewards can only be added by roles with DV_REWARD_MANAGER_ROLE privileges. It could allow significant manipulation of reward distributions if exploited.

This means revoked extra rewards remain able to distribute rewards indefinitely.

Impact

Malicious extra rewards can exploit persisted access to manipulate rewards even if revoked at the top level.

Code Snippet

https://github.com/sherlock-audit/2023-06-tokemak/blob/5d8e902ce33981a6506b1b5fb979a084602c6c9a/v2-core-audit-2023-07-14/src/rewarders/MainRewarder.sol#L52C4-L61C6

Adding an extra reward:

function addExtraReward(address reward) external hasRole(Roles.DV_REWARD_MANAGER_ROLE) {
        if (!allowExtraRewards) {
            revert ExtraRewardsNotAllowed();
        }
        Errors.verifyNotZero(reward, "reward");

        extraRewards.push(reward);

        emit ExtraRewardAdded(reward);
    }

https://github.com/sherlock-audit/2023-06-tokemak/blob/5d8e902ce33981a6506b1b5fb979a084602c6c9a/v2-core-audit-2023-07-14/src/rewarders/MainRewarder.sol#L67C5-L71C6

No way to remove a specific reward, only clear all:

function clearExtraRewards() external hasRole(Roles.DV_REWARD_MANAGER_ROLE) {
        delete extraRewards;

        emit ExtraRewardsCleared();
    }

Tool used

Manual Review

Recommendation

Add removeExtraReward(address reward) function to allow revoking individual extra rewards.

akshaysrivastav commented 1 year ago

Hey @MrViNC3R3 you should create issues in your respective private repo. https://docs.sherlock.xyz/audits/watsons