Closed sherlock-admin closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { this is invalid because the contract ensures that all the amounts specified have been sent to the recipinet and if that didnt happen the function will revert with leftover issues}
popeye
high
Unstable Transaction Handling in
TelcoinDistributor::proposeTransaction
due to mismatch in array lengthsSummary
Vulnerability Detail
In the
TelcoinDistributor::proposeTransaction
function, users (specifically council members) can propose transactions by providing two arrays:destinations
(recipient addresses) andamounts
(Telcoin amounts). The absence of a check to ensure these arrays are of equal length allows for the possibility of submitting a proposal with an unequal number of destinations and amounts. This design flaw is a significant oversight in the contract's logic.Impact
It can lead to unpredictable transaction behavior, potential financial loss, and a compromise in the contract’s integrity.
Proof of Concept
Consider a scenario with Alice and Attacker:
Step-by-Step Exploitation
Legitimate Proposal by Alice:
destinations
:[Address1, Address2, Address3, Address4]
.amounts
:[100, 100, 100, 100]
.proposeTransaction
.Malicious Proposal by Attacker:
destinations
:[VictimAddress1, VictimAddress2]
.amounts
:[150, 150, 200]
(Intentionally providing an extra amount).proposeTransaction
.Contract's Flawed Acceptance:
Execution of Proposals:
Consequences:
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/protocol/core/TelcoinDistributor.sol#L87-L106
Tool used
Manual Review
Recommendation
Implement an array length equality check in the
proposeTransaction
function:Duplicate of #2