`setRewardDistributionCoolDown` has no max bound, can be abused by admin
GitHub
Summary
The setRewardDistributionCoolDown function sets the reward distribution cooldown period. Currently, this function lacks a maximum bound, allowing the admin to set it to the maximum value of type(uint160).max. This could significantly impact the distributeRewards function. A malicious admin could set an extremely high cooldown value, effectively preventing users from distributing rewards. This would cause the distributeRewards function to always revert due to the following check:
Impact
A malicious admin can set an excessively high cooldown value, forcing users to never be able to distribute the rewards. This would result in the distribution of TGLD rewards to stakers always reverting because of the cooldown check. Users would be forced to wait for an unreasonably long cooldown period, which can effectively disable the reward distribution mechanism.
Recommendation
Add a maximum bound to the rewardDistributionCoolDown value to prevent a malicious admin from setting it to an excessively high value.
Lead Judging Commences
missing totalAuctionTokenAllocation deduction in removeAuctionConfig leads to stuck funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.