Lack of Parameter Validation in `setStaking` Function of `TempleGold` Contract
Summary
The setStaking function in the TempleGold contract fails to implement proper validation for the _staking parameter, potentially exposing the contract to security vulnerabilities and operational risks.
Vulnerability Details
The setStaking function allows the owner to set the staking contract address (staking) without validating whether the provided _staking address is a valid contract address. The function includes a revert statement if _staking is set to address(0), indicating partial validation awareness. It lacks checks to ensure _staking points to a contract implementing ITempleGoldStaking, potentially allowing:
Setting _staking to an arbitrary address, including address(0), which could disrupt intended contract operations.
Interacting with malicious contracts or contracts not compatible with ITempleGoldStaking, leading to vulnerabilities.
Impact
Incorrect or malicious _staking addresses can compromise contract integrity, leading to unauthorized access or manipulation of contract state. Setting _staking incorrectly can disrupt staking mechanisms or reward distributions, affecting user experience and contract functionality.
Tools Used
Manual Review
Recommendations
Ensure that _staking is a non-zero valid contract address.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.