TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Malicious users can call `getReward` on behalf of other users leading to loss of rewards.

aravn

Summary

getReward function could be called by anyone on behalf of any staker.

This allows a malicious user to cut short the rewards obtained by others,
by calling `getRewards` on their behalf even while the vesting period is ongoing.
This leads to loss of rewards for the staker.

Vulnerability Details

Suppose Alice Stakes on 1st May with a vesting period of 10 days.
fullyVestedAt = 11th May

Bob, can call getReward(Alice, index)
on 2nd May leading to some loss of rewards as Alice does not obtain the full vestingRate multiplier

Impact

Users could lose rewards if another malicious user calls getReward on their behalf,
while the vesting period is ongoing.

Tools Used

Manual Review

Recommendations

Ensure that users cannot call getReward on behalf of other users.

function getReward(uint256 index) external override updateReward(msg.sender, index)

{ _getReward(msg.sender, msg.sender, index); }

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.