TempleGold

TempleDAO
Foundry
25,000 USDC
View results
Submission Details
Severity: high
Invalid

Incorrect Reward Calculation manupilate via Unauthorized (attcker) Account using other staker account address in `TempleGoldStaking.sol` contract

Summary:

The vulnerability arises from improper access control in functions using the updateReward modifier. Attackers can exploit this by passing a different staker's address to functions like getReward, withdrawFor, and distributeReward, which utilize the updateReward modifier. This allows them to manipulate reward calculations and potentially gain unauthorized access to reward-related data of other users.

Vulnerability Details:

It is found in TempleGoldStaking contract when function like getReward which utilize the updateReward modifier call before excute function by passing other staker address in getReward function which allow attcker to manipulate reward calculation of that staker.

Impact:

The primary impact of this vulnerability includes:

  • Incorrect Reward Calculations: Attackers can update reward-related data for a staker other than themselves, leading to incorrect reward distributions.

  • Unauthorized Access: Accessing and potentially manipulating reward-related data of other users, compromising the integrity of the reward distribution system.

Proof of Concept / Explanation:

Scenario:

  1. Attacker's Action: The attacker calls functions such as getReward, withdrawFor, or distributeReward with a staker's address (_account) other than their own.

  2. Modifier Execution:

    • The updateReward modifier updates global reward data (rewardPerTokenStored and lastUpdateTime).

    • Specifically, for the _account provided, it updates claimableRewards[_account][_index] and userRewardPerTokenPaid[_account][_index] based on _stakeInfos retrieved.

  3. Impact:

    • If _account is a valid staker's address, the attacker can manipulate the reward calculations for that staker.

    • This could lead to incorrect reward distributions where the wrong staker receives rewards or an unauthorized party accesses sensitive reward-related data.

Tools Used:

Manual audit, Foundry

Recommendations:

To mitigate this vulnerability, follow these recommendations:

  • Access Control: Implement strict access control mechanisms in functions utilizing the updateReward modifier. Ensure that only authorized accounts (e.g., the staker themselves or trusted contract administrators) can update rewards for a specific staker.

  • Parameter Validation: Validate parameters passed to functions like getReward, withdrawFor, and distributeReward to ensure that the _account address belongs to the caller or is otherwise authorized to perform the action.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

0xdhanraj30 Submitter
10 months ago
0xdhanraj30 Submitter
10 months ago
inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.