Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature to recover stuck tokens is too permissive and could be used to remove CVX tokens #53

Open
c4-submissions opened this issue Sep 27, 2023 · 6 comments
Open

Feature to recover stuck tokens is too permissive and could be used to remove CVX tokens #53

c4-submissions opened this issue Sep 27, 2023 · 6 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/strategies/votium/VotiumStrategyCore.sol#L215-L220

Vulnerability details

Summary

The VotingStrategyCore contract contains a function to allow the owner of the protocol to withdraw any ERC20 token, including the CVX token, which is core to the contract's functionality.

Impact

The withdrawStuckTokens() function present in the VotingStrategyCore contract allows an admin to recover any "stuck" ERC20 token:

https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/strategies/votium/VotiumStrategyCore.sol#L215-L220

215:     function withdrawStuckTokens(address _token) public onlyOwner {
216:         IERC20(_token).transfer(
217:             msg.sender,
218:             IERC20(_token).balanceOf(address(this))
219:         );
220:     }

While this seems harmless and would allow the protocol to correct unexpected mistakes, it is important to note that the core of the Votium strategy is composed of CVX tokens. These tokens shouldn't be allowed to be recovered or withdrawn from the contract. Even if it is an owner controlled function, it is important to keep the transparency here.

Recommendation

Validate the token address is different from the CVX contract, to ensure that CVX tokens cannot be unintentionally withdrawn using this function.

    function withdrawStuckTokens(address _token) public onlyOwner {
+       require(_token != CVX_ADDRESS);
        IERC20(_token).transfer(
            msg.sender,
            IERC20(_token).balanceOf(address(this))
        );
    }

Assessed type

Rug-Pull
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 27, 2023
c4-submissions added a commit that referenced this issue Sep 27, 2023
@c4-submissions
adriro issue #53
dcbbf3a
@c4-judge
Copy link
Contributor

c4-judge commented Oct 3, 2023

0xleastwood marked the issue as primary issue

@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Oct 3, 2023
@0xleastwood 0xleastwood mentioned this issue Oct 4, 2023
Open
@c4-judge c4-judge mentioned this issue Oct 4, 2023
Closed
@c4-judge
Copy link
Contributor

c4-judge commented Oct 4, 2023

0xleastwood marked the issue as selected for report

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Oct 4, 2023
@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Oct 4, 2023
@c4-sponsor
Copy link

elmutt (sponsor) confirmed

@0xleastwood
Copy link

0xleastwood commented Oct 5, 2023
edited
Loading

Downgrading this to QA as it is sort of raised in the automated findings, but I do believe the suggestion is worthwhile to implement.

@c4-judge
Copy link
Contributor

c4-judge commented Oct 5, 2023

0xleastwood marked the issue as not selected for report

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed selected for report This submission will be included/highlighted in the audit report 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 5, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Oct 5, 2023

0xleastwood changed the severity to QA (Quality Assurance)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@0xleastwood @c4-judge @c4-sponsor @C4-Staff @c4-submissions