Closed sherlock-admin closed 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { This is invalid as the first call to retrieve will send the max token available making it impossible to call multiple times as the watson explain}
Invalid, if there is only one council elected, then sure they can retrieve what they deserve. In addition, it is up to owner() to transfer delegated rewards
0xAnmol
medium
The First CouncilNFT holder can drain all the tokens from sablier
Summary
The First CouncilNFT holder can drain all the tokens from sablier
Vulnerability Detail
The protocol is supposed to send tokens to the Sablier stream before the minting of the councilMember NFT occurs. If this step is not completed, minting will throw an error with ERC20: InsufficientBalance due to a balance of 0 in the Sablier _target address.
In this scenario, if the NFT is minted individually then, the first NFT holder can call retrieve multiple times increasing its TEL balance and draining the streaming funds.
Steps protocol send 1000 TEL to sablier stream mint councilMember NFT to user- A user - A calls retrieve multiple times frontrunning all other mint transactions balances[0] = 1000 TEL
Impact
Initial members can drain all the streaming funds.
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L82
Tool used
Manual Review
Recommendation
The rewards should be streamed per second bases rather than streaming when retrieve is called.