TempleGold

TempleDAO
Foundry
25,000 USDC
View results
Submission Details
Severity: medium
Invalid

Inefficient Reward Distribution Vulnerability in `TempleGoldStaking` Contract using `distributeGold` external function

Summary:

The TempleGold smart contract contains a vulnerability where the distributeGold external function can be called by any address, potentially leading to inefficient distribution of rewards due to the internal _distributeGold function not handling exceptional cases properly.

Vulnerability Details:

This found in distributeGold external function can be called by any address because
there are no checks to confirm who is calling

Impact:

If an attacker calls the distributeGold function at an inappropriate time or without proper checks, the _distributeGold function may attempt to mint TGLD tokens from the rewardToken contract unnecessarily, leading to:

  • Wastage of gas fees and blockchain resources.

  • Inefficient allocation of rewards if not synchronized properly with the reward distribution process.

  • Potential disruptions or delays in the reward distribution mechanism.

Proof of Concept/Explanation:

The vulnerability arises from the following code snippet:

function distributeGold() external {
_distributeGold();
}
function _distributeGold() internal {
/// @dev no op silent fail if nothing to distribute
ITempleGold(address(rewardToken)).mint();
}

Scenario:

  1. Attacker Action:

    • An attacker calls the distributeGold function directly from an external address.

  2. Internal Function Call:

    • The external call triggers _distributeGold, which internally attempts to mint TGLD tokens using ITempleGold(address(rewardToken)).mint();.

  3. Potential Exploitation:

    • If the rewardToken contract is improperly configured or if there are no rewards to distribute (TGLD tokens), the mint function may fail silently or consume gas unnecessarily.

Tools Used:

Manual, Foundry

Recommendations:

To mitigate this vulnerability, consider the following steps:

  • Access Control:

    • Implement access control mechanisms to ensure that only authorized contracts or addresses can call the distributeGold function.

  • Input Validation:

    • Add checks within the distributeGold function to validate conditions before invoking _distributeGold, ensuring that rewards are only distributed when necessary.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.