Closed sherlock-admin closed 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid because { This is valid because the watson explain how incorrect use of indices poses a challenge of depositing into the intended contract and also a dupp of 016}
ggg_ttt_hhh
medium
There is a misuse of indices input in the topUp function.
Summary
Vulnerability Detail
In the
StakingRewardsManager
, there is astakingContracts
array containing all thestakingRewards
contracts managed by this contract. ThetopUp
function is used to assign rewards to specificstakingRewards
contracts, but there is a misuse ofindices
input value.Currently, the function uses the index
i
instead ofindices[i]
. In order to send rewards to the laststakingRewards
contract, it's necessary to include allstakingRewards
contracts as input and validate the configuration file accordingly.A notable consideration is the transfer of ownership by the admin for certain
stakingRewards
. In such cases, the manager might be restricted from calling thenotifyRewardAmount
function of thosestakingRewards
. Consequently, it becomes challenging to notify rewards forstakingRewards
contracts that appear later in thestakingContract
s array after the one with the ownership transfer.Impact
Sending rewards to specific
stakingRewards
contracts poses a challenge.Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/telx/core/StakingRewardsManager.sol#L254-L261
Tool used
Manual Review
Recommendation
Duplicate of #16