You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
But the Sherlock docs mention: For the vesting contract, the current recipient is the owner, but this is likely to be changed to a recipient address, and the delegation methods would be restricted to the recipient rather than the owner.
So the situation is: execute_create_batch can only be called by the owner, while execute_delegate can only be called by the recipient.
Therefore, when the execute_create_batch is set to be called only by the recipient in the future, execute_create_batch will not function properly.(note: recipient is a state variable, not a parameter)
This issue exists in both the current Sherlock version and the latest official repo.
MxAxM
added
Medium
A valid Medium severity issue
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
and removed
Excluded
Excluded by the judge without consulting the protocol or the senior
labels
Jun 29, 2024
sherlock-admin2
changed the title
Flaky Chrome Elephant - execute_create_batch will not work properly
cu5t0mPe0 - execute_create_batch will not work properly
Jun 29, 2024
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
cu5t0mPe0
Medium
execute_create_batch will not work properly
Summary
Since the recipient will not be the owner,
execute_create_batch
will not be usable.Vulnerability Detail
execute_create_batch
can only be called by the owner, and whenvalidator_to_delegate_to
is set,execute_create_batch
will callexecute_delegate
.https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/bbbf73e5d1e4092ab42ce1f827e33759308d3786/andromeda-core/contracts/finance/andromeda-vesting/src/contract.rs#L126-L129
https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/bbbf73e5d1e4092ab42ce1f827e33759308d3786/andromeda-core/contracts/finance/andromeda-vesting/src/contract.rs#L189
But the Sherlock docs mention:
For the vesting contract, the current recipient is the owner, but this is likely to be changed to a recipient address, and the delegation methods would be restricted to the recipient rather than the owner.
So the situation is:
execute_create_batch
can only be called by the owner, whileexecute_delegate
can only be called by the recipient.Therefore, when the
execute_create_batch
is set to be called only by the recipient in the future,execute_create_batch
will not function properly.(note: recipient is a state variable, not a parameter)This issue exists in both the current Sherlock version and the latest official repo.
Impact
execute_create_batch
does not work properlyCode Snippet
https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/bbbf73e5d1e4092ab42ce1f827e33759308d3786/andromeda-core/contracts/finance/andromeda-vesting/src/contract.rs#L126-L129
https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/bbbf73e5d1e4092ab42ce1f827e33759308d3786/andromeda-core/contracts/finance/andromeda-vesting/src/contract.rs#L189
Tool used
Manual Review
Recommendation
Inline the current
execute_delegate
logic inexecute_create_batch
or allow both the owner and the recipient to call theexecute_delegate
Duplicate of #59
The text was updated successfully, but these errors were encountered: