TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Reward Distribution Cooldown can be set to years [Undue Delay]

Baptizer

Summary

The reward distribution cooldown is too open as it can be set to even years [so far the days are converted to seconds].

Vulnerability Details

Here is the function:

* @notice Set reward distribution cooldown
* @param _cooldown Cooldown in seconds
*/
function setRewardDistributionCoolDown(uint160 _cooldown) external override onlyElevatedAccess {
/// @dev zero cooldown is allowed
rewardDistributionCoolDown = _cooldown;
emit RewardDistributionCoolDownSet(_cooldown);
}

The main job of this function should be to the Cooldown time before next distribution of rewards.

That is, within this cooldown period, no reward will be distributed.

However, the cool down period can be arbitrarily set to months or years. Meaning, reward distribution will be delayed until the specified cooldown time elapses.

PoC

  • one of the addresses marked onlyElevatedAccesscan singlehandedly and maliciously set the cooldown period to 3 years

  • the next distribution epoch will not start until those years elapse.

  • the community will be unsatisfied and stop believing in the project

  • this might trigger a sell-off as holders will want to exit positions and move on

Impact

Undue delay of the next distribution epoch.

Tools Used

Manual review

Recommendations

The DAO should vote and agree on the timeline for cooldown.

Then there should be an error check in the cooldown function that the cooldown period range should not be more than the agreed one.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.