Collateral.managerWithdraw: owner can rug all baseToken #75
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-254
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/prepo-io/prepo-monorepo//blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L80-L83
Vulnerability details
Impact
MANAGER_WITHDRAW_ROLE can call Collateral.managerWithdraw to send baseToken to manager
setManager is called by SET_MANAGER_ROLE
The number of baseTokens that MANAGER_WITHDRAW_ROLE can take out is determined by ManagerWithdrawHook.minReservePercentage
and setMinReservePercentage is called by SET_MIN_RESERVE_PERCENTAGE_ROLE
These roles can be directly granted by the owner, resulting in the owner being able to rug all baseToken in Collateral
Proof of Concept
https://github.com/prepo-io/prepo-monorepo//blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L80-L83
https://github.com/prepo-io/prepo-monorepo//blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/ManagerWithdrawHook.sol#L17-L18
Tools Used
None
Recommended Mitigation Steps
Consider using timelock
The text was updated successfully, but these errors were encountered: