Closed sherlock-admin closed 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { both this functions are admin control and will make sure they are not twice; according to sherlock they are trusted}
Invalid, this would consititute user/admin input error not valid based on sherlock rules, see point 5.
araj
medium
Existing council member can become member twice
Summary
Already
existing
council member can become a membertwice
as there is no check if a address is an existing member of council or notVulnerability Detail
New council member can be added through
mint
&removeFromOffice
but both the functions are lacking check on that if address isalready an existing
council member, If a council member became a membertwice
then that member willreceive
TELCOIN balancetwice
which is bad as other members will loss balanceImpact
User can became council member twice & if that happens, that member will receive TELCOIN twice
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L173C3-L182C6
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L122C1-L134C6
Tool used
Manual Review
Recommendation
Use a mapping or array to store council member address and add a checks in mint & removeFromOffice function or can also check if a address is holding any member NFT then should not became member again