TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Inadequate check in `TempleGold::_canDistribute` function with `uint256` signature which can allow the protocol mint less than the `MINIMUM_MINT` or more than the `MAX_SUPPLY` thereby breaking the protocol.

spomaria

Summary

Inadequate check in TempleGold::_canDistribute function with uint256 signature which can allow the protocol mint less than the MINIMUM_MINT thereby breaking the protocol.

Vulnerability Details

The TempleGold::_canDistribute function with uint256 signature implements a logic that is not sound in checking whether or not some TGLD should be minted. This breaks the protocol rule of not minting less than MINIMUM_MINT.

function _canDistribute(uint256 mintAmount) private view returns (bool) {
return mintAmount != 0 && _totalDistributed + mintAmount == MAX_SUPPLY ? true : mintAmount >= MINIMUM_MINT;
}

The above function can return true even without checking the condition mintAmount >= MINIMUM_MINT which is a requirement of the protocol.
Additionally, the condition _totalDistributed + mintAmount == MAX_SUPPLY can allow the protocol to mint all tokens at the first epoch rather than as specified in the vestingFactor which will also break the protocol.

Impact

The logic in the TempleGold::_canDistribute function with uint256 signature breaks the protocol either by allowing the minting of tokens less than MINIMUM_MINT or by forcing the protocol to mint all tokens at the first epoch neglecting the vestingFactor specified by the protocol. Either way, the protocol breaks.

Tools Used

Using chisel in foundry, we can show that the protocol can mint more the MAX_SUPPLY

uint256 constant MAX_SUPPLY = 1_000_000_000 ether
uint256 constant MINIMUM_MINT = 10_000 ether
// For simplicity sake, assume this is the first epoch and replace _totalDistributed with 0 in the function
function _canDistribute(uint256 mintAmount) public view returns(bool) {
return mintAmount != 0 && 0 + mintAmount == MAX_SUPPLY ? true : mintAmount >= MINIMUM_MINT;
}
// will return true for mintAmount > MAX_SUPPLY
➜ _canDistribute(1_100_000_000 ether)
Type: bool
└ Value: true

We can also prove that the TempleGold::_canDistribute function with uint256 signature can break the protocol by allowing the minting of mintAmount < MINIMUM_MINT. For this demonstration, let us suppose that the protocol has recorded some epochs and _totalDistributed is not zero, let us replace zero by 999_999_000 in the function and check if the protocol can mint 1_000 tokens

uint256 constant MAX_SUPPLY = 1_000_000_000 ether
uint256 constant MINIMUM_MINT = 10_000 ether
uint256 constant totalDist = 999_999_000 ether
function _canDistribute(uint256 mintAmount) public view returns(bool) {
return mintAmount != 0 && totalDist + mintAmount == MAX_SUPPLY ? true : mintAmount >= MINIMUM_MINT;
}
// will return true for mintAmount < MINIMUM_MINT
➜ _canDistribute(1_000 ether)
Type: bool
└ Value: true

Protocol returns true for mintAmount < MINIMUM_MINT

Recommendations

The TempleGold::_canDistribute function with uint256 signature should be modified as follows

// i.e. mintAmount >= MINIMUM_MINT && _totalDistributed + mintAmount <= MAX_SUPPLY ? true : false;
function _canDistribute(uint256 mintAmount) private view returns (bool) {
- return mintAmount != 0 && _totalDistributed + mintAmount == MAX_SUPPLY ? true : mintAmount >= MINIMUM_MINT;
+ return mintAmount >= MINIMUM_MINT && _totalDistributed + mintAmount <= MAX_SUPPLY ? true : false;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

`_canDistribute` could return a result breaking the MAX TOTAL SUPPLY of TGLD

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.