J4X_ - Batch creation will break if vestings are opened to recipients #59
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
J4X_
Medium
Batch creation will break if vestings are opened to recipients
Summary
The
andromeda-vesting
contract allows the owner to create vestings (batches) for freezing tokens. The planned update will enable the recipient to claim or delegate tokens instead of the owner. However, this change introduces a conflict in the delegation process during batch creation, where theexecute_delegate()
function will check for both owner and recipient roles, causing it to always revert. This issue makes it impossible to create batches with direct delegation.Vulnerability Detail
The
andromeda-vesting
contract allows for creating vestings, akabatches.
The current contract is fully restricted to theowner
. Effectively it only allows the owner to freeze his tokens in vestings to recover them later. To include some real functionality, the team plans to adapt the functionality so that the owner still creates the batches, but they can be claimed or delegated by the recipient. This is also described in the contest description:As per my communication with the team, the only change that will occur is that the restriction for the
owner
in the claiming and delegation functions will be replaced with a restriction for therecipient
. For the following reason, it will be impossible to create vestings with a direct delegation.When a vesting gets created, it can only be done by the owner due to the following check
The batch creator can pass a
validator_to_delegate_to
parameter, resulting in the vested tokens being directly staked to a validator. To do this, theexecute_create_batch()
will call theexecute_delegate()
function. This function is currently restricted to the owner, but will be changed to be restricted to the recipient, as based on the contest description. The problem is that in this case the delegation as well as the creation of batches will always revert as it will checkinfo.sender == owner
andinfo.sender == recipient
.Impact
This issue results in the creation of batches becoming impossible with a direct delegation.
Code Snippet
https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/bbbf73e5d1e4092ab42ce1f827e33759308d3786/andromeda-core/contracts/finance/andromeda-vesting/src/contract.rs#L314-L317
Tool used
Manual Review
Recommendation
We recommend adapting the
execute_delegate
function to be callable by the owner or recipient instead of just the owner.The text was updated successfully, but these errors were encountered: