The TempleGold smart contract contains a vulnerability where the distributeGold
external function can be called by any address, potentially leading to inefficient distribution of rewards due to the internal _distributeGold
function not handling exceptional cases properly.
This found in distributeGold
external function can be called by any address because
there are no checks to confirm who is calling
If an attacker calls the distributeGold
function at an inappropriate time or without proper checks, the _distributeGold
function may attempt to mint TGLD
tokens from the rewardToken
contract unnecessarily, leading to:
Wastage of gas fees and blockchain resources.
Inefficient allocation of rewards if not synchronized properly with the reward distribution process.
Potential disruptions or delays in the reward distribution mechanism.
The vulnerability arises from the following code snippet:
Attacker Action:
An attacker calls the distributeGold
function directly from an external address.
Internal Function Call:
The external call triggers _distributeGold
, which internally attempts to mint TGLD
tokens using ITempleGold(address(rewardToken)).mint();
.
Potential Exploitation:
If the rewardToken
contract is improperly configured or if there are no rewards to distribute (TGLD
tokens), the mint
function may fail silently or consume gas unnecessarily.
Manual, Foundry
To mitigate this vulnerability, consider the following steps:
Access Control:
Implement access control mechanisms to ensure that only authorized contracts or addresses can call the distributeGold
function.
Input Validation:
Add checks within the distributeGold
function to validate conditions before invoking _distributeGold
, ensuring that rewards are only distributed when necessary.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.