Reward-token registration is irreversible
Description
The current version of the protocol allows adding a new reward-token address to the rewardTokenList
using the registerNewRewardToken
function. However, there is no function implemented to remove a reward token from this list, making the registration of reward tokens irreversible.
Impact
If an invalid address is accidentally registered, or if a registered reward token blacklists the StakedPDT contract address, the protocol becomes unusable.
For example, the following code from distribute
iterates over rewardTokenList
and calls balanceOf
on every registered token.
for (uint256 itTokenIndex; itTokenIndex < _nTokenTypes; ) {
address _token = _tokenList[itTokenIndex];
uint256 _rewardBalance = IERC20(_token).balanceOf(address(this));
uint256 _rewardsToDistribute = _rewardBalance - unclaimedRewards[_token];
If an invalid address is registered in the rewardTokenList
, the balanceOf
call on such address will fail, causing the distribute
call to always revert. Since the distribute
function must be called by the admin to start a new epoch, the protocol will be permanently halted and cannot be resolved without a protocol upgrade.
Recommendations
Add a function that can remove a specific reward token from the rewardTokenList
.
Remediation
This issue has been acknowledged by Paragons DAO, and a fix was implemented in commit f5944102↗.