Submission Details
Severity:
error in _moveDelegates for srcRep != adress(0), dstRep !=0, amount >0
Summary
When we go to functions delegate external
https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/TempleGoldStaking.sol#L145
and _moveDelegates in TempleGoldStaking.sol
function delegate(address delegatee) external override {
return _delegate(msg.sender, delegatee);
}
calls _moveDelegates with parameters _moveDelegates(address(0), delegates[_for], _amount);
for such combination when srcRep = address(0) and address(0) is obviously not equal dstRep
function _moveDelegates(
address srcRep,
address dstRep,
uint256 amount
) internal {
if (srcRep != dstRep && amount > 0) {
if (srcRep != address(0)) {
uint256 srcRepNum = numCheckpoints[srcRep];
uint256 srcRepOld = srcRepNum > 0 ? _checkpoints[srcRep][srcRepNum - 1].votes : 0;
uint256 srcRepNew = srcRepOld - amount;
_writeCheckpoint(srcRep, srcRepNum, srcRepOld, srcRepNew);
}
if (dstRep != address(0)) {
uint256 dstRepNum = numCheckpoints[dstRep];
uint256 dstRepOld = dstRepNum > 0 ? _checkpoints[dstRep][dstRepNum - 1].votes : 0;
uint256 dstRepNew = dstRepOld + amount;
_writeCheckpoint(dstRep, dstRepNum, dstRepOld, dstRepNew);
}
}
}
_writeCheckpoint(srcRep, srcRepNum, srcRepOld, srcRepNew); will be called
in both functions there is no check if destination is not address(this) ,
that might broke the rules of protocol.
Vulnerability Details
set destination as address of staking contract.
Impact
User losing funds
Tools Used
slither, foundry
Recommendations
Check input data for forbidden or crippled parameters.
Prize pool breakdown
Total prize
25,000 USDC
nSLOC
99825 USDC / LOC
20,000 USDC
2,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.