Skip to content
This repository has been archived by the owner on Jul 21, 2024. It is now read-only.

Avci - the batchTelcoin will always fail due to wrong check in require. #250

Closed
sherlock-admin2 opened this issue Jan 15, 2024 · 1 comment
Closed

Avci - the batchTelcoin will always fail due to wrong check in require. #250

sherlock-admin2 opened this issue Jan 15, 2024 · 1 comment
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Jan 15, 2024
edited

Avci

medium

the batchTelcoin will always fail due to wrong check in require.

Summary

the batchTelcoin will always fail due to wrong check in require.

Vulnerability Detail

in contract Telcoindistributor.sol the function batchTelcoin will always fail because it contains a require which revert if the initial balance of this contract and balance aren't equal after the token transfer!

Impact

the whole function of batchTelcoin are not going to work at all and will not batchtransfer token! cause this check is blocking it.

Code Snippet

look at this function first it stores the balance of the contract in the initialbalance and then it does the transfer process as it suppose to be but suddenly it checks the initialbalance is == to balance which is wrong cause balance of contract going to be changed anyway but it reverts and blocks the transfer process.

    function batchTelcoin(
        uint256 totalWithdrawl,
        address[] memory destinations,
        uint256[] memory amounts
    ) internal {
        // stores inital balance
        uint256 initialBalance = TELCOIN.balanceOf(address(this));
        //transfers amounts
        TELCOIN.safeTransferFrom(owner(), address(this), totalWithdrawl);
        for (uint i = 0; i < destinations.length; i++) {
            TELCOIN.safeTransfer(destinations[i], amounts[i]);
        }
        //initial balance is used instead of zero
        //if 0 is used instead stray Telcoin could DNS operations
        require(
            TELCOIN.balanceOf(address(this)) == initialBalance,
            "TelcoinDistributor: must not have leftovers"
        );
    }

https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/protocol/core/TelcoinDistributor.sol#L185

Tool used

Manual Review

Recommendation

  • the require at the end of the batchTelcoin should be removed or fixed but not checking equality after transfer.
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Excluded Excluded by the judge without consulting the protocol or the senior labels Jan 19, 2024
@github-actions github-actions bot mentioned this issue Jan 19, 2024
Closed
@sherlock-admin2 sherlock-admin2 changed the title Clever Linen Fox - the batchTelcoin will always fail due to wrong check in require. Avci - the batchTelcoin will always fail due to wrong check in require. Jan 29, 2024
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jan 29, 2024
@nevillehuang
Copy link
Collaborator

Invalid, DoS is not possible given logic execute within the same transaction, where in tokens are first transferred from owner to Distributor address, and then to destinations

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nevillehuang @sherlock-admin2