search

sherlock-audit / 2024-01-telcoin-judging

6 stars 5 forks source link

Dots - function recoverERC20FromStaking calls recoverERC20 with wrong parameters #173

Closed sherlock-admin2 closed 6 months ago

sherlock-admin2 commented 6 months ago

Dots

medium

function recoverERC20FromStaking calls recoverERC20 with wrong parameters

Summary

Function recoverERC20FromStaking calls recoverERC20 with wrong parameters

Vulnerability Detail

Function recoverERC20 expects to recieve IERC20 tokenAddress, uint256 tokenAmount, address to in this order. However the recoverERC20FromStaking function calls the recoverERC20 function with wrongly arranged parameters

Impact

The code may not function as intended

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/telx/core/StakingRewardsManager.sol#L216-L237

function recoverERC20FromStaking(
        StakingRewards staking,
        IERC20 tokenAddress,
        uint256 tokenAmount,
        address to
    ) external onlyRole(SUPPORT_ROLE) {
        // grab the tokens from the staking contract
        staking.recoverERC20(to, tokenAddress, tokenAmount);
    }

function recoverERC20(
        IERC20 tokenAddress,
        uint256 tokenAmount,
        address to
    ) external onlyRole(SUPPORT_ROLE) {
        //move funds
        tokenAddress.safeTransfer(to, tokenAmount);
    }

Tool used

Manual Review

Recommendation

Instead of staking.recoverERC20(to, tokenAddress, tokenAmount);, use staking.recoverERC20(tokenAddress, tokenAmount, to);

function recoverERC20FromStaking(
        StakingRewards staking,
        IERC20 tokenAddress,
        uint256 tokenAmount,
        address to
    ) external onlyRole(SUPPORT_ROLE) {
        // grab the tokens from the staking contract
        staking.recoverERC20(tokenAddress, tokenAmount, to);
    }
amshirif commented 6 months ago

There are two different recoverERC20() functions on two different contracts. The ordering of the two functions are different. The recoverERC20FromStaking() function is not attempting to call the recoverERC20() on the StakingRewardsManager. This function is external as can be seen by the code snippet provided. It is calling a function by the same name of the StakingRewards contract that is out of scope.

nevillehuang commented 6 months ago

Invalid, the call to staking.recoverERC20() is via the staking contract here, so the parameters order is correct

amshirif commented 5 months ago

https://github.com/telcoin/telcoin-audit/commit/8886b2bb9616fd41fe191cd1eaec855a3db570eb Not a valid issue, made changes here for clarity.

sherlock-admin commented 5 months ago

The protocol team fixed this issue in PR/commit https://github.com/telcoin/telcoin-audit/commit/8886b2bb9616fd41fe191cd1eaec855a3db570eb.

sherlock-admin commented 5 months ago

The Lead Senior Watson signed-off on the fix.