Lines of code

Vulnerability details

Impact

The README describes the following when a voting ends:

Outside of the Hidden Hand contract scope, after the Tokemak CoRE round ends, proposal data is compiled and these two things happen:
- The following is derived from the data: its hash (KECCAK-256) and merkle roots (one for each bribe token in the round and contains the accounts and amounts each should receive)
- The data file is uploaded to a publicly-accessible location and can be used to verify the hash and merkle roots by an auditor

The way claim() is implemented in RewardDistributor.sol, it lacks any kind of access control. So if the data containing the merkle proofs is published on a public location, a malicious user that can provide the correct parameters is able to steal all the rewards

Proof of Concept

• <https://github.com/code-423n4/2022-02-redacted-cartel/blob/main/contracts/RewardDistributor.sol#L79&gt;
• <https://github.com/code-423n4/2022-02-redacted-cartel/blob/main/contracts/RewardDistributor.sol#L152&gt;

Tools Used

Editor

Recommended Mitigation Steps

Add some kind of access control to claim() (e.g. verifying that msg.sender is equal to the account_ taking the reward)

The text was updated successfully, but these errors were encountered:

All reactions