Summary:

The vulnerability arises from improper access control in functions using the updateReward modifier. Attackers can exploit this by passing a different staker's address to functions like getReward, withdrawFor, and distributeReward, which utilize the updateReward modifier. This allows them to manipulate reward calculations and potentially gain unauthorized access to reward-related data of other users.

Vulnerability Details:

It is found in TempleGoldStaking contract when function like getReward which utilize the updateReward modifier call before excute function by passing other staker address in getReward function which allow attcker to manipulate reward calculation of that staker.

Impact:

The primary impact of this vulnerability includes:

• Incorrect Reward Calculations: Attackers can update reward-related data for a staker other than themselves, leading to incorrect reward distributions.

• Unauthorized Access: Accessing and potentially manipulating reward-related data of other users, compromising the integrity of the reward distribution system.

Proof of Concept / Explanation:

Scenario:

1. Attacker's Action: The attacker calls functions such as getReward, withdrawFor, or distributeReward with a staker's address (_account) other than their own.

2. Modifier Execution:

   • The updateReward modifier updates global reward data (rewardPerTokenStored and lastUpdateTime).

   • Specifically, for the _account provided, it updates claimableRewards[_account][_index] and userRewardPerTokenPaid[_account][_index] based on _stakeInfos retrieved.

3. Impact:

   • If _account is a valid staker's address, the attacker can manipulate the reward calculations for that staker.

   • This could lead to incorrect reward distributions where the wrong staker receives rewards or an unauthorized party accesses sensitive reward-related data.

Tools Used:

Manual audit, Foundry

Recommendations:

To mitigate this vulnerability, follow these recommendations:

• Access Control: Implement strict access control mechanisms in functions utilizing the updateReward modifier. Ensure that only authorized accounts (e.g., the staker themselves or trusted contract administrators) can update rewards for a specific staker.

• Parameter Validation: Validate parameters passed to functions like getReward, withdrawFor, and distributeReward to ensure that the _account address belongs to the caller or is otherwise authorized to perform the action.