search

sherlock-audit / 2024-01-telcoin-judging

6 stars 5 forks source link

ravikiran.web3 - TelcoinDistributor::challengeTransaction() will block the transaction permanently #155

Closed sherlock-admin2 closed 9 months ago

sherlock-admin2 commented 9 months ago

ravikiran.web3

medium

TelcoinDistributor::challengeTransaction() will block the transaction permanently

Summary

Challenger can challenge a proposed transaction. Once challenged, it is permanently blocked.

Vulnerability Detail

When challenger challenges a proposed transaction with in specified window, the challenged flag is set to true. The executor will revert if a transaction is having challenged flag as true.

There is no other mechanism provided in the contract to release the challenged state.

Impact

Challenged transactions are permanently blocked.

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/protocol/core/TelcoinDistributor.sol#L115-L136

   require(
            !proposedTransactions[transactionId].challenged,
            "TelcoinDistributor: transaction has been challenged"
        );

During execute transaction, if the transaction challenged is flagged as true, it will revert.

Tool used

Manual Review

Recommendation

It is not clear if challenge is more like a permanent block. There should be a mechanism to release the transaction if challenge is taken back, but such implementation is not apparent from the code base.

Duplicate of #142

sherlock-admin2 commented 9 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { This is like a veto and can only be done by council members ; they can veto it and it will never pass; i believe its an intended behavior}