Description

The current version of the protocol allows adding a new reward-token address to the rewardTokenList using the registerNewRewardToken function. However, there is no function implemented to remove a reward token from this list, making the registration of reward tokens irreversible.

Impact

If an invalid address is accidentally registered, or if a registered reward token blacklists the StakedPDT contract address, the protocol becomes unusable.

For example, the following code from distribute iterates over rewardTokenList and calls balanceOf on every registered token.

for (uint256 itTokenIndex; itTokenIndex < _nTokenTypes; ) {
    address _token = _tokenList[itTokenIndex];
    uint256 _rewardBalance = IERC20(_token).balanceOf(address(this));
    uint256 _rewardsToDistribute = _rewardBalance - unclaimedRewards[_token];

If an invalid address is registered in the rewardTokenList, the balanceOf call on such address will fail, causing the distribute call to always revert. Since the distribute function must be called by the admin to start a new epoch, the protocol will be permanently halted and cannot be resolved without a protocol upgrade.

Recommendations

Add a function that can remove a specific reward token from the rewardTokenList.

Remediation

This issue has been acknowledged by Paragons DAO, and a fix was implemented in commit f5944102↗.