TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Non-authorized users can still receive or hold TGLD tokens

DarkTower

Summary

Non-authorized users can still participate in auctions or staking and receive TempleGold tokens.

Vulnerability Details

Because of a flawed check in the _update function of the TempleGold contract, users who are not authorized for any reason by the protocol still get to receive TempleGold tokens as long as one of the auctioning contracts or staking contracts or any other contract/address that is the from argument is authorized.

function _update(address from, address to, uint256 value) internal override {

/// can only transfer to or from whitelisted addreess

/// @dev skip check on mint and burn. function `send` checks from == to

@> if (from != address(0) && to != address(0)) { // @audit issue here because both need to eval to true for this to revert which allows non-authorized users to receive TGLD

if (!authorized[from] && !authorized[to]) { revert ITempleGold.NonTransferrable(from, to); }

}

super._update(from, to, value);

}

A short POC to describe this issue in code:

function checkBool(bool _case1, bool _case2) public pure returns (uint256) {

if (!_case1 && !_case2) { revert ("issue here"); }

return 2 + 2;

}

function test_checkBool() public view {

console.log("Result: ", checkBool(true, false));

}

Running 1 test for test/TokenTest.t.sol:TokenTest

[PASS] test_checkBool() (gas: 8877)

Logs:

Result: 4

Impact

This breaks every one of the protocol's assumptions that non-authorized addresses cannot participate. Because assuming the user then participates by bidding DAI for TGLD in the auction contract, since the auction contract would be authorized to transfer TGLD, even if the user is unauthorized, they still get to receive TGLD

Tools Used

Manual review

Recommendations

The ideal fix is also to check that if the _to address is not either one of the auction contracts or staking contracts, then they should be authorized too.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.