Closed sherlock-admin closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { This is invalid because constructor is not user control function and thus wont be able to call it; admin will make sure its never negative when setting}
Invalid, period
is a uint256
that can only take positive values.
0xC
high
Negative
challengePeriod
can be assigned in the constructor ofTelcoinDistributor
contractMedium
Summary
The TelcoinDistributor smart contract, as presented, contains a vulnerability in the constructor function that allows for the assignment of a negative value to the
challengePeriod
variable, which should represent a time duration.Vulnerability Detail
In the
TelcoinDistributor
contract's constructor function, thechallengePeriod
variable is initialized without proper validation. This allows for the assignment of negative values tochallengePeriod
, which is intended to represent a time duration in seconds.Impact
Allowing the
challengePeriod
to be assigned a negative value can have a significant impact on the behavior of theTelcoinDistributor
contract. Negative time durations can lead to unpredictable behavior and may result in incorrect challenge period calculations. This potentially will disrupt the intended operation of the contract and compromise its security.Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/protocol/core/TelcoinDistributor.sol#L64
Tool used
Manual Review
Recommendation
To mitigate this vulnerability, it is recommended to add a validation check in the constructor to ensure that the
challengePeriod
is assigned a positive value. This can be done by adding the following require statement:By implementing this change, the contract will only accept positive values for the
challengePeriod
variable, enhancing the security and reliability of theTelcoinDistributor
contract.