no restrictions implemented in the 'setStakingContract' function
Vulnerability Details
in the 'setStakingContract' function it allows the owner to change the staking contract address at any time without any restrictions and potentially breaking the entire staking ecosystem because that poses several issues:
-
It doesn't check if there are any ongoing stakes or pending points.
-
Changing the staking contract could potentially break the connection between existing stakes and their corresponding points.
-
There's no mechanism to migrate existing data or stakes to the new contract.
-
It lacks a two-step process or timelock for such a critical change.
PoC :
Users stake tokens and accumulate points over time.
Owner calls setStakingContract with a new address.
New stakes are recorded from the new address, but old stakes are still tied to the old address.
This leads to a split in the staking system, where old stakes can't be unstaked or claim points, and new stakes operate separately.
Impact
Users with existing stakes could lose access to their staked tokens and accumulated points.
The totalStaked amount becomes inaccurate, affecting point distribution.
The onStaked and onUnstaked functions become unreliable as they depend on the staking contract.
Tools Used
Manual review
Recommendations
To mitigate, implement checks for existing stakes, a migration mechanism, and a timelock for changes
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.