search

sherlock-audit / 2024-01-telcoin-judging

6 stars 5 forks source link

grearlake - Malicious builder can back-run to update malicious config of staking contrat when deploying #254

Closed sherlock-admin2 closed 5 months ago

sherlock-admin2 commented 5 months ago

grearlake

medium

Malicious builder can back-run to update malicious config of staking contrat when deploying

Summary

Malicious builder can back-run to update malicious config of staking contrat when deploying

Vulnerability Detail

_addStakingRewardsContract use CREATE1 to deploy contract:

function createNewStakingRewardsContract(
    IERC20 stakingToken,
    StakingConfig calldata config
) external onlyRole(BUILDER_ROLE) {
    // create the new staking contract
    // new staking will have owner and rewardsDistribution set to address(this)
    StakingRewards staking = StakingRewards(
        address(
            stakingRewardsFactory.createStakingRewards(
                address(this),
                IERC20(address(rewardToken)),
                IERC20(stakingToken)
            )
        )
    );
    //internal call to add new contract
    _addStakingRewardsContract(staking, config);
}

Malicious builder can update new config of the contract by back-run in the same block. since there is no way to update config after deployment

Impact

Malicious builder can update new config of the contract

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/telx/core/StakingRewardsManager.sol#L102-#L119

Tool used

Manual Review

Recommendation

Using CREATE2 with salt

sherlock-admin2 commented 5 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { The role is trusted and will not do what the watson has said}

nevillehuang commented 5 months ago

Invalid, BUILDER_ROLE is a trusted entity within the protocol trusted to not be malicious