The vulnerability arises from improper access control in functions using the updateReward
modifier. Attackers can exploit this by passing a different staker's address to functions like getReward
, withdrawFor
, and distributeReward
, which utilize the updateReward
modifier. This allows them to manipulate reward calculations and potentially gain unauthorized access to reward-related data of other users.
It is found in TempleGoldStaking
contract when function like getReward
which utilize the updateReward
modifier call before excute function by passing other staker address in getReward
function which allow attcker to manipulate reward calculation of that staker.
The primary impact of this vulnerability includes:
Incorrect Reward Calculations: Attackers can update reward-related data for a staker other than themselves, leading to incorrect reward distributions.
Unauthorized Access: Accessing and potentially manipulating reward-related data of other users, compromising the integrity of the reward distribution system.
Attacker's Action: The attacker calls functions such as getReward
, withdrawFor
, or distributeReward
with a staker's address (_account
) other than their own.
Modifier Execution:
The updateReward
modifier updates global reward data (rewardPerTokenStored
and lastUpdateTime
).
Specifically, for the _account
provided, it updates claimableRewards[_account][_index]
and userRewardPerTokenPaid[_account][_index]
based on _stakeInfos
retrieved.
Impact:
If _account
is a valid staker's address, the attacker can manipulate the reward calculations for that staker.
This could lead to incorrect reward distributions where the wrong staker receives rewards or an unauthorized party accesses sensitive reward-related data.
Manual audit, Foundry
To mitigate this vulnerability, follow these recommendations:
Access Control: Implement strict access control mechanisms in functions utilizing the updateReward
modifier. Ensure that only authorized accounts (e.g., the staker themselves or trusted contract administrators) can update rewards for a specific staker.
Parameter Validation: Validate parameters passed to functions like getReward
, withdrawFor
, and distributeReward
to ensure that the _account
address belongs to the caller or is otherwise authorized to perform the action.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.