Closed sherlock-admin2 closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid because { This is valid and a dupp of 086; it should have been a high severity; but due the impact mentioned in issue 086 im making it meduim because it will likely be discoverd before even talking about the funds being in the contract i believe}
eeshenggoh
high
Overinflated rewards updated due to flaw in calling SablierV2ProxyTarget
Summary
CouncilMember::_retrieve() is used to retrieve and distribute TELCOIN to council members based on the stream from _target. It uses a Sabiler PRBproxy to withdraw tokens to the CouncilMembers contract. The problem lies in not the wrong input parameter.
Vulnerability Detail
The input parameter to call
ISablierV2ProxyTarget::withdrawMax()
implemented inCouncilMember::_retrieve()
uses a proxy with an encoded selector. The call to the withdrawal will always not be executed because of the input variable using the wrong address.The ISablierV2ProxyTarget Line 74 etherscan Implementation LoC
Impact
The call to the Sablier's Target will never be executed, hence overinflated rewards are updated to the users.
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L270-L279C1
Tool used
Manual Review
Recommendation
Duplicate of #139