Summary
When we go to functions delegate external
https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/TempleGoldStaking.sol#L145
and _moveDelegates in TempleGoldStaking.sol
https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/TempleGoldStaking.sol#L552-L572
function delegate(address delegatee) external override {
return _delegate(msg.sender, delegatee);
}
calls _moveDelegates with parameters _moveDelegates(address(0), delegates[_for], _amount);
for such combination when srcRep = address(0) and address(0) is obviously not equal dstRep
function _moveDelegates(
address srcRep,
address dstRep,
uint256 amount
) internal {
if (srcRep != dstRep && amount > 0) {
if (srcRep != address(0)) {
uint256 srcRepNum = numCheckpoints[srcRep];
uint256 srcRepOld = srcRepNum > 0 ? _checkpoints[srcRep][srcRepNum - 1].votes : 0;
uint256 srcRepNew = srcRepOld - amount;
_writeCheckpoint(srcRep, srcRepNum, srcRepOld, srcRepNew);
}
if (dstRep != address(0)) {
uint256 dstRepNum = numCheckpoints[dstRep];
uint256 dstRepOld = dstRepNum > 0 ? _checkpoints[dstRep][dstRepNum - 1].votes : 0;
uint256 dstRepNew = dstRepOld + amount;
_writeCheckpoint(dstRep, dstRepNum, dstRepOld, dstRepNew);
}
}
}
_writeCheckpoint(srcRep, srcRepNum, srcRepOld, srcRepNew); will be called
in both functions there is no check if destination is not address(this) ,
that might broke the rules of protocol.
Vulnerability Details
set destination as address of staking contract.
Impact
User losing funds
Tools Used
slither, foundry
Recommendations
Check input data for forbidden or crippled parameters.