New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Owner can use recoverERC20 to drain reward tokens #81
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-68
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Oct 29, 2022
Duplicate of #17 |
kirk-baird marked the issue as not a duplicate |
kirk-baird marked the issue as duplicate |
kirk-baird marked the issue as satisfactory |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Nov 10, 2022
kirk-baird marked the issue as not a duplicate |
kirk-baird marked the issue as duplicate of #17 |
Simon-Busch marked the issue as duplicate of #68 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-68
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-10-paladin/blob/2cef3087052f019c8043f66f954d630b81cb16fb/contracts/WardenPledge.sol#L654
Vulnerability details
Impact
recoverERC20
does not allow recovering the token whenminAmountRewardToken[token] != 0
such that the owner is not able to drain the reward tokens out of the contracts. However, the owner fully controlsminAmountRewardToken[token]
and can reset it to 0 withremoveRewardToken
, even if there is a remaining reward amount that is available for pledges.This is a significant risk for users (especially pledge creators) that interact with the contract, as the reward tokens that they have transferred can be removed at any point.
Proof Of Concept
Consider the following diff where the owner removes the reward token and then calls
recoverERC20
(which does not revert, i.e. the test fails there):Recommended Mitigation Steps
Track for every token if there are remaining pledges. Do not allow recovering the tokens if this is the case.
The text was updated successfully, but these errors were encountered: