SDLPoolCCIPControllerPrimary::_distributeRewards
is marked as internal
, making it susceptible to potential misuse by any contract inheriting from it. This vulnerability could allow a malicious contract to exploit the internal function, leading to unauthorized distribution of rewards.
In the contract, _distrbuteRewards
function is being internally called in distributeRewards
function, which does contain access modifier onlyRewardsInitiator
, which prevents the issue of unauthorized calling, but only if distributeRewards
is called.
The vulnerability lies in the _distributeRewards
function. Because it is marked as internal
, it can be called from any contract that inherits from SDLPoolCCIPControllerPrimary
.
A malicious contract could exploit this by inheriting from SDLPoolCCIPControllerPrimary
and calling _distributeRewards
with parameters that allow it to distribute rewards on there own will. This could lead to unauthorized distribution of rewards.
The parameter's of _distributeRewards
can be easily determined by the exploiter, the three parameters: destinationChainIds
,_rewardTokens
,_rewardTokenAmounts
, can be determined using the same methods being used in distributeRewards
function in the malicious contract, and hence can be used to call and potentially cause issue with unauthorized rewards distribution.
The potential impact of this vulnerability is HIGH. Misuse could lead to unauthorized control over the distribution of rewards, which could disrupt the normal operation of the system and potentially drain the system's resources.
Damage could be both financial, in terms of lost rewards, and reputational, as it could undermine trust in the system among users.
Thorough reviewing of code was being done
Instead of being the function marked as internal
, private
can be used to mitigate the risk, because of which it won't be accessible to other contracts which can inherit SDLPoolCCIPControllerPrimary
.
Or an access modifier can be used in the _distributeRewards
function, or an require statement can be added checking only rewardsIntiator can call this function.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.