emergencyTokenTransfer
should exclude the xTokenAddress
token (pWETH)
#370
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-437
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/ui/WETHGateway.sol#L196
Vulnerability details
Impact
The privileged owner could benefit from this to withraw pWETH token from WETHGateway contract and then redeem for ETH, which could result in the protocol insolvent.
Proof of Concept
pWETH
token can be transfered to theWETHGateway
contract frommsg.sender
by callingwithdrawETHWithPermit
orwithdrawETH
.pWETH
token act as the redeem token for user to withdraw ETH fromWETHGateway
contract. TheemergencyTokenTransfer
function can be used to withdraw any ERC20 tokens stucked in theWETHGateway
contract including thepWETH
token.The privileged owner could benefit from this to withraw pWETH token from WETHGateway contract and then redeem for ETH, which could result in the protocol insolvent.
Tools Used
manual review
Recommended Mitigation Steps
Exclude the
pWETH
token in theemergencyTokenTransfer
function.The text was updated successfully, but these errors were encountered: