search

sherlock-audit / 2024-01-telcoin-judging

6 stars 5 forks source link

grearlake - `SUPPORT_ROLE` can steal TELCOIN by calling `recoverERC20FromStaking()` function #236

Closed sherlock-admin2 closed 5 months ago

sherlock-admin2 commented 5 months ago

grearlake

medium

SUPPORT_ROLE can steal TELCOIN by calling recoverERC20FromStaking() function

Summary

SUPPORT_ROLE can steal all token by calling recoverERC20FromStaking function due to no restriction to call it

Vulnerability Detail

Function recoverERC20FromStaking() is used to recover erc20 token from contract:

function recoverERC20FromStaking(
    StakingRewards staking,
    IERC20 tokenAddress,
    uint256 tokenAmount,
    address to
) external onlyRole(SUPPORT_ROLE) {
    // grab the tokens from the staking contract
    staking.recoverERC20(to, tokenAddress, tokenAmount);
}

But there is no restriction for this function to withdraw token from StakingRewards contract. Malicious SUPPORT_ROLE can use this function to drain all TELCOIN.

Impact

Malicious SUPPORT_ROLE can use this function to drain all token in the StakingRewards contract.

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/telx/core/StakingRewardsManager.sol#L216-#L224

Tool used

Manual Review

Recommendation

This function should be controlled by owner

Duplicate of #205

sherlock-admin2 commented 5 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { This is invalid as that is the intended behavior of it to allow the SUPPORT_ROLE to call the function}