Closed sherlock-admin closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { The function in question are the updateID and there's a governance modifier in place; making it invalid according to sherlock rule}
request poc
PoC requested from @retsoko
Requests remaining: 9
The protocol team fixed this issue in PR/commit https://github.com/telcoin/telcoin-audit/pull/49.
The Lead Senior Watson signed-off on the fix.
Tricko
high
Funds can be lost when changing stream parameters in
CouncilMember
contract.Summary
Because
CouncilMember._retrieve()
isn't called prior to modifying stream parameters via eitherCouncilMember.updateID()
orCouncilMember.updateTarget()
, any funds accrued since the last_retrieve()
call will be forfeited.Vulnerability Detail
For accurate token distribution, it's crucial to call the internal method
CouncilMember._retrieve()
before significant state changes in the contract, such as token minting or claims. Unfortunately, this step is omitted before important methods likeCouncilMember.updateTarget()
orCouncilMember.updateID()
. Consequently, funds accrued in the stream but not yet withdrawn won't be distributed.For example, if the stream is switched, necessitating a modification of the
_id
parameter viaCouncilMember.updateID()
, all funds accumulated in the previous stream since the last_retrieve()
call will become inaccessible.Impact
Loss of funds during stream migrations.
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L236-L256
Tool used
Manual Review
Recommendation
Consider calling
CouncilMember._retrieve()
before setting the new values of_target
and_id
, so that funds distribution is done before changing stream parameters.Duplicate of #99