Closed sherlock-admin2 closed 6 months ago
iberry
medium
which allows the owner SUPPORT_ROLE privilege, to retrieve the rewards tokens, perhaps as a way to rug depositors
The recoverERC20FromStaking function in the StakingRewardsManager allows the owner to retrieve ERC20 tokens from a StakingRewards contract.
medium,rug rewardsToken
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/telx/core/StakingRewardsManager.sol#L216-L224
Manual Review
Invalid, this is a trusted admin trusted to not be malicious. Additionally, you can only recover tokens accidentally donated to contract that is not the staked token as seen in this check here
iberry
medium
StakingRewardsManager:recoverERC20FromStaking allow SUPPORT_ROLE retrieve rewardsToken
Summary
which allows the owner SUPPORT_ROLE privilege, to retrieve the rewards tokens, perhaps as a way to rug depositors
Vulnerability Detail
The recoverERC20FromStaking function in the StakingRewardsManager allows the owner to retrieve ERC20 tokens from a StakingRewards contract.
Impact
medium,rug rewardsToken
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/telx/core/StakingRewardsManager.sol#L216-L224
Tool used
Manual Review
Recommendation