There is no access control on who can call getReward
function in TempleGoldStaking.sol
, which may result in some undesired behaviors within protocol.
getReward can be called by anyone. The function updates the rewards for the staker and makes a call to internal function _getReward
. The _getReward
function checks the amount of claimable rewards and send them to the staker address . Neither The _getReward nor the updateReward modifier includes any validaton if msg.sender is the staker. Therefore if anyone other than the staker calls the function, both the protocol and users may face unexpected behaivors such as:
1)Forced reward distribution may affect distribution timings for the staker
2)If an attacker repeatedly invokes thegetReward
function for multiple stakers, it could lead to congestion and high gas costs on the network. This might prevent legitimate users from executing their transactions due to increased gas prices or network congestion.
Potential DoS attack and unintentional situations for protocol/users
Manual Review
Implement access control mechanisms such as onlyStaker to ensure only the staker can invoke the getReward function for their own rewards.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.