Summary

The recoverToken function has limitations for rewardToken and stakingToken which are understandable, but they are both prone to accidential transfer.(because TempleGoldStaking is whitelisted for TempleGOLD) . If these tokens are accidentally transferred directly without using the staking workflow (stakeor stakeForfunction) the tokens will be permanently locked in the TempleGoldStaking contract.

Vulnerability Details

The recoverToken function in the contract does not permit the recovery of staking/reward tokens. This means that if these tokens are accidentally transferred directly to the contract, they cannot be retrieved, leading to a permanent lock.

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/TempleGoldStaking.sol#L381

The function should be able to recover an amount of staking/reward tokens if accidentally sent, ensuring no more amount than balanceOf(stakingToken) - totalSupply for the stakingToken. Additionally, since TempleGOLD(rewardToken) is whitelisted for transfer and receive in the TempleGoldStakinthis token should be additionally tracked in the contract so we can calculate the maximum recoverable amount. Something like balanceOf(rewardToken) - totalRewardTokenMinted

Impact

The accidentially trasferred recoverTokenand rewardTokenare forever stuck in the contract.

It looks like the Impact is high because tokens are getting stuck. And the likelihood seems like a Medium because tokens have to be accidentially transferred. Hence the severity is High.

Tools Used

Manual Review

Recommendations

Allow recoverTokento recover rewardTokenand stakingToken but limit the amount which can be recovered.
Consider we have added a totalRewardAvailable storage variable in the TempleGoldStaking contract to track the actual rewardToken amount minted and available for reawards.

For example we can change the following functions in TempleGoldStakingin the following way: