araj - staking contract with different rewardToken can be added in stakingContractManager

[sherlock-admin]

araj

high

staking contract with different rewardToken can be added in stakingContractManager

Summary

Staking contract with different rewardToken can be added in stakingContractManager as there is no check on that

Vulnerability Detail

Already created staking contract is added in array using addStakingRewardsContract function in manager contract, docs say Do not add staking contracts with rewardToken other than the one passed to initialize this contract. but for this there is no check

    function addStakingRewardsContract(
        StakingRewards staking,
        StakingConfig calldata config
    ) external onlyRole(BUILDER_ROLE) {
        //checking if already exists
        require(
            !stakingExists[staking],
            "StakingRewardsManager: Staking contract already exists"
        );
        //internal call to add new contract
        _addStakingRewardsContract(staking, config);
    }

Impact

This will lead to add staking contract with different rewardToken in stakingContracts

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/telx/core/StakingRewardsManager.sol#L128C1-L139C6

Tool used

Manual Review

Recommendation

Use this require in addStakingRewardsContract

+  require(staking.rewardsToken() == rewardToken, "StakingRewardsManager: Reward token don't match");

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { This is invalid because there is some sort of a modifier for the fucntion; theey will ensure abd adequate implementation}

[nevillehuang]

Invalid, this is an admion gated function, so this would constitute user input error not valid based on sherlock rules, see point 5.