Closed sherlock-admin2 closed 9 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { This is invalid as its unlikely to happen; the admin roles are trusted as said in ReadMe.md}
Invalid, this is speculating on admin call order, which is invalid based on sherlocks rule see point 5.
VAD37
medium
StakingRewardsManager.sol
haveBUILDER_ROLE
operation remove staking contracts may interfere withEXECUTOR_ROLE
operation. Causing wrong config and rewards setupSummary
BUILDER_ROLE
can remove staking contracts fromstakingContracts
array. This operation is extreme hazardous. It swapstakingContracts
array index.And
EXECUTOR_ROLE
operationtopUp()
usestakingContracts
array index to setup config and rewards.If stakingContracts array index is swapped by
BUILDER_ROLE
withoutEXECUTOR_ROLE
aware of the change. The config and rewards setup will be wrong. Causing wrong rewards amount and rewards duration for staking contracts.Vulnerability Detail
Look at how
BUILDER_ROLE
remove staking contracts fromstakingContracts
array.It work by swapping latest staking contract in the array to the index of the staking contract to be removed. Then remove last staking contract in the array.
This remove operation change how
stakingContracts
array index map to staking contracts.Look at how
topUp()
function is depend onstakingContracts
array index. https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/telx/core/StakingRewardsManager.sol#L251-L278topUp()
use previous known array index as ID to loop throughstakingContracts
array and send rewards, updating new config. If admin is not aware of this change while updating new config, the rewards will simply send to wrong staking contracts. Because one staking contracts will be moved to the end of the array.Impact
Possible send rewards and update config to wrong staking contracts. Possible admin send wrong staking contracts receive rewards token with no way to recover.
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/telx/core/StakingRewardsManager.sol#L166-L179
Tool used
Manual Review
Recommendation
The best options is using OpenZeppelin Enumerable as mapping for
stakingContracts
.Or use nonce as
stakingContracts
ID which is much safer, disable contracts by simply set boolean or updating config.