The TempleGoldStaking.sol
contract contains a vulnerability where the getReward
function, being external and callable by anyone, can be abused to manipulate the reward calculations for any staker. This can lead to unintended alterations in future reward calculations and can flood the blockchain with unnecessary transactions.
The getReward
function in the TempleGoldStaking.sol
contract is defined as follows:
This function allows anyone to claim rewards on behalf of any staker. While this might seem harmless at first, the use of the updateReward
modifier introduces a critical issue.
The updateReward
modifier is defined as:
This modifier updates the reward data for the staker each time the getReward
function is called. Since anyone can call this function for any staker, it can lead to frequent and unnecessary updates to the reward data, potentially disrupting future reward calculations.
Additionally, the _getReward
function called within getReward
does not revert when the claim amount is zero:
This means an attacker can repeatedly call getReward
, even when there are no rewards to claim, causing unnecessary reward updates and bloating the blockchain with meaningless transactions.
Reward Calculation Manipulation: The frequent and unnecessary updates to the reward data can alter the intended reward calculations for stakers, leading to potential inaccuracies and unfair distributions.
Blockchain Bloat: By allowing calls to getReward
with no claimable rewards, the contract is vulnerable to spam attacks that can flood the blockchain with meaningless transactions, increasing gas costs and reducing overall efficiency.
Code editor/IDE
Access Control: Implement access control on the getReward
function to restrict who can call it. This can be done by introducing a whitelist or limiting calls to the staker themselves.
Revert on Zero Amount: Modify the _getReward
function to revert when the claim amount is zero, preventing unnecessary reward updates and transactions:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.