Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cu5t0mPe0 - execute_create_batch will not work properly #21

Closed
sherlock-admin2 opened this issue Jun 23, 2024 · 0 comments
Closed

cu5t0mPe0 - execute_create_batch will not work properly #21

sherlock-admin2 opened this issue Jun 23, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Jun 23, 2024
edited
Loading

cu5t0mPe0

Medium

execute_create_batch will not work properly

Summary

Since the recipient will not be the owner, execute_create_batch will not be usable.

Vulnerability Detail

execute_create_batch can only be called by the owner, and when validator_to_delegate_to is set, execute_create_batch will call execute_delegate.

https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/bbbf73e5d1e4092ab42ce1f827e33759308d3786/andromeda-core/contracts/finance/andromeda-vesting/src/contract.rs#L126-L129

https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/bbbf73e5d1e4092ab42ce1f827e33759308d3786/andromeda-core/contracts/finance/andromeda-vesting/src/contract.rs#L189

But the Sherlock docs mention: For the vesting contract, the current recipient is the owner, but this is likely to be changed to a recipient address, and the delegation methods would be restricted to the recipient rather than the owner.

So the situation is: execute_create_batch can only be called by the owner, while execute_delegate can only be called by the recipient.

Therefore, when the execute_create_batch is set to be called only by the recipient in the future, execute_create_batch will not function properly.(note: recipient is a state variable, not a parameter)

This issue exists in both the current Sherlock version and the latest official repo.

Impact

execute_create_batch does not work properly

Code Snippet

https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/bbbf73e5d1e4092ab42ce1f827e33759308d3786/andromeda-core/contracts/finance/andromeda-vesting/src/contract.rs#L126-L129

https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/bbbf73e5d1e4092ab42ce1f827e33759308d3786/andromeda-core/contracts/finance/andromeda-vesting/src/contract.rs#L189

Tool used

Manual Review

Recommendation

Inline the current execute_delegate logic in execute_create_batch or allow both the owner and the recipient to call the execute_delegate

Duplicate of #59
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jun 28, 2024
@MxAxM MxAxM added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Jun 29, 2024
@sherlock-admin2 sherlock-admin2 changed the title Flaky Chrome Elephant - execute_create_batch will not work properly cu5t0mPe0 - execute_create_batch will not work properly Jun 29, 2024
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Jun 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @MxAxM