search

sherlock-audit / 2024-01-telcoin-judging

6 stars 5 forks source link

valentin2304 - Typo in StakingRewardsMangaer.sol/recoverERC20FromStaking #175

Closed sherlock-admin2 closed 6 months ago

sherlock-admin2 commented 6 months ago

valentin2304

medium

Typo in StakingRewardsMangaer.sol/recoverERC20FromStaking

Summary

The typo is that the parameters of the function called from recoverERC20FromStaking which is recoverERC20 are not passed in a correct line which may lead to misfunctionality.

Vulnerability Detail

recoverERC20FromStaking calls recoverERC20() with parameters sentenced like (to, tokenAddress, tokenAmount) but recoverERC20 accepts them sentenced like (tokenAddress, tokenAmount, to)

 function recoverERC20FromStaking(
        StakingRewards staking,
        IERC20 tokenAddress,
        uint256 tokenAmount,
        address to
    ) external onlyRole(SUPPORT_ROLE) {
        // grab the tokens from the staking contract
        staking.recoverERC20(to, tokenAddress, tokenAmount);
    }
    function recoverERC20(
        IERC20 tokenAddress,
        uint256 tokenAmount,
        address to
    ) external onlyRole(SUPPORT_ROLE) {
        //move funds
        tokenAddress.safeTransfer(to, tokenAmount);
    }

Impact

Missfunctionality

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/telx/core/StakingRewardsManager.sol#L216-L237

Tool used

Manual Review

Recommendation

resentence the parameters given to recoverERC20 in recoverERC20FromStaking

Duplicate of #173

sherlock-admin2 commented 6 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { This is invalid because the recoverERC20() function thats being called is from stakinRewards.sol not TelcoinDistributor.sol; so the implementation is correct. just like issue 173 }