TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing event emission in `updateReward` modifier of `TempleGoldStaking`

Fortis Audits

Summary

The updateReward modifier is designed to update the reward information for a given account before executing the function it modifies. It ensures that the latest reward data is stored and applicable rewards are calculated accurately.

Vulnerability Details

The implementation lacks an event emission, which is crucial for tracking and auditing changes in reward calculations.

Impact

Without event logs, tracking changes to reward data becomes difficult for users and developers.
The absence of event hinders external auditors' ability to verify reward calculations and updates effectively.

Code Snippet

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/TempleGoldStaking.sol#L589-L602

// @audit : event is missing

modifier updateReward(address _account, uint256 _index) {

{

// stack too deep

rewardData.rewardPerTokenStored = uint216(_rewardPerToken());

rewardData.lastUpdateTime = uint40(_lastTimeRewardApplicable(rewardData.periodFinish));

if (_account != address(0)) {

StakeInfo memory _stakeInfo = _stakeInfos[_account][_index];

uint256 vestingRate = _getVestingRate(_stakeInfo);

claimableRewards[_account][_index] = _earned(_stakeInfo, _account, _index);

userRewardPerTokenPaid[_account][_index] = vestingRate * uint256(rewardData.rewardPerTokenStored) / 1e18;

}

Tools Used

Manaual Review , Foundry

Recommendations

To address this vulnerability, the updateReward modifier should include event emission.

modifier updateReward(address _account, uint256 _index) {

{

// stack too deep

rewardData.rewardPerTokenStored = uint216(_rewardPerToken());

rewardData.lastUpdateTime = uint40(_lastTimeRewardApplicable(rewardData.periodFinish));

if (_account != address(0)) {

StakeInfo memory _stakeInfo = _stakeInfos[_account][_index];

uint256 vestingRate = _getVestingRate(_stakeInfo);

claimableRewards[_account][_index] = _earned(_stakeInfo, _account, _index);

userRewardPerTokenPaid[_account][_index] = vestingRate * uint256(rewardData.rewardPerTokenStored) / 1e18;

++ emit RewardUpdated(

++ rewardData.rewardPerTokenStored,

++ rewardData.lastUpdateTime,

++ vestingRate,

++ claimableRewards[_account][_index],

++ userRewardPerTokenPaid[_account][_index]

++ );

}

++ event RewardUpdated(

uint256 rewardPerTokenStored,

uint40 lastUpdateTime,

uint256 vestingRate,

uint256 claimableRewards,

uint256 userRewardPerTokenPaid

);

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.