Closed sherlock-admin closed 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { user are expected to specify the intended amount of all the destinations(totalWithdraw) the result of putting a larger or lower number than your commulative intention is to revert; but for making it robust function ; it should be considerd valid and a low or a requesting-feature issue which is invalid according to sherlock rules}
sonny2k
medium
Missing check if the sum of amounts value in array equals to totalWithdrawl in proposeTransaction()
Summary
The
proposeTransaction()
functions inTelcoinDistributor.sol
does not check whether the sum ofamounts
andtotalWithdrawl
are equal. This can lead to unexpected results.Vulnerability Detail
In the
proposeTransaction()
function, the council member submits the array ofamounts
value which will be later sent and a value oftotalWithdrawl
as a representative of the amounts value summary.However, in this functions, there is no check if the total value of these
amounts
equaltotalWithdrawl
Impact
If the sum of
amounts
is smaller or larger thantotalWithdrawl
, the proposed transaction will always be reverted caused by the logic ofbatchTelcoin()
:Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/protocol/core/TelcoinDistributor.sol#L87
Tool used
Manual Review
Recommendation
Add a check to the proposed transaction () function that confirms that total value of amounts, and totalWithdrawl are all equal.
Duplicate of #91