TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Reentrancy vulnerability in staking withdrawals

Baptizer

Summary

A malicious staker can maliciously withdraw more than they have because the withdrawal functions in Temple Staking contract do not update balances.

Vulnerability Details

These are the vulnerable functions:

function withdraw(uint256 amount, uint256 index, bool claim) external override {
StakeInfo storage _stakeInfo = _stakeInfos[msg.sender][index];
_withdrawFor(_stakeInfo, msg.sender, msg.sender, index, amount, claim, msg.sender);
}
/**
* @notice Withdraw all staked tokens
* @param claim Boolean if to claim rewards
*/
function withdrawAll(uint256 stakeIndex, bool claim) external override {
StakeInfo storage _stakeInfo = _stakeInfos[msg.sender][stakeIndex];
_withdrawFor(_stakeInfo, msg.sender, msg.sender, stakeIndex, _stakeInfo.amount, claim, msg.sender);
}

In each of them, a staker can withdraw more than the tokens they staked. Once a staker has withdrawn their due tokens, they can go aheaad to withdraw more because the functions will still operate with the staker's old balances.

Here is a PoC:

  • Alice staked 300 tokens in the contract

  • Alice called with withdrawfunction and got his 300 tokens

  • Alice can keep calling this function until she drains the contract or it is paused

Impact

Reentrancy

Tools Used

Manual review

Recommendations

Update balances immediately after withdrawal!

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.