zzykxx - `removeFromOffice()` can be frontrun by council member

[sherlock-admin]

zzykxx

medium

removeFromOffice() can be frontrun by council member

Summary

The function removeFromOffice() can be front-run by the council member being replaced to claim TELCOIN tokens before they get replaced.

Vulnerability Detail

The function removeFromOffice() in CouncilMember.sol can be called by the GOVERNANCE_COUNCIL_ROLE to replace a specific council member with another one. The GOVERNANCE_COUNCIL_ROLE can specify an address rewardRecipient to which the current amount of TELCOIN owed to the council member being replaced will be sent.

A sophisticated council member can frontrun the call to removeFromOffice() with a call to claim() claiming TELCOIN before they get withdrawn to rewardRecipient.

Impact

Sophisticated council members have an advantage over non-sophisticated ones when it comes to the function removeFromOffice() because they are able to claim tokens they should not be able to claim.

Code Snippet

• removeFromOffice()

Tool used

Manual Review

Recommendation

Other protocols solved this issue by implementing a claim queue. Meaning council members signal their intention to claim TELCOIN tokens and only after a pre-deteremined amount of time (ex. 3 days) they can transfer the tokens to themselves.

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid because { watson explain how a council member can front-run the removeFromOffice call by governance to claim his reward before its send to another address; valid}

[nevillehuang]

Invalid, council members are still entitiled to claim whatever tokens assigned to them before removal, so this is a non-issue