Closed sherlock-admin2 closed 2 months ago
Based on the discussion here this issue is duplicated with #50
The protocol team fixed this issue in the following PRs/commits: https://github.com/andromedaprotocol/andromeda-core/pull/551
fix-reviews note:
https://github.com/andromedaprotocol/andromeda-core/pull/551
This PR modifies execute_withdraw_fund()
to support withdraw balance from contract, avoiding rewards being left in the contract.
Solves the problem of not being able to withdraw funds
Fixed this issue
bin2chen
Medium
execute_stake() without setting DistributionMsg::SetWithdrawAddress, partial reward may remain in the contract
Summary
in
andromeda-validator-staking
After executingexecute_stake()
, the default reward recipient is the contract itself if triggers a reward distribution, rewards will deposited into the contract and remains in the contractVulnerability Detail
in
andromeda-validator-staking
After executingexecute_stake()
, the reward recipientDistributionMsg::SetWithdrawAddress
is not set, so the default reward recipient is the contract itselfDistributionMsg::SetWithdrawAddress
is only set ifexecute_claim()
is actively executedBut after some time has passed ,
owner
doesn't executeexecute_claim()
, so the default recipient is the contract itselfexecute_stake()
again or any other case can trigger a reward auto distribution to transfer the reward to the contracthttps://github.com/cosmos/cosmos-sdk/tree/main/x/distribution#create-or-modify-delegation-distribution
Impact
Until
DistributionMsg::SetWithdrawAddress
is set, the triggered reward distribution is left in the contractCode Snippet
https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/main/andromeda-core/contracts/finance/andromeda-validator-staking/src/contract.rs#L34
Tool used
Manual Review
Recommendation
like
andromeda-vesting
, whenexecute_stake()
, setDistributionMsg::SetWithdrawAddress
to senderDuplicate of #50