Feature to recover stuck tokens is too permissive and could be used to remove CVX tokens #53
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-a
primary issue
Highest quality submission among a set of duplicates
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/strategies/votium/VotiumStrategyCore.sol#L215-L220
Vulnerability details
Summary
The VotingStrategyCore contract contains a function to allow the owner of the protocol to withdraw any ERC20 token, including the CVX token, which is core to the contract's functionality.
Impact
The
withdrawStuckTokens()
function present in the VotingStrategyCore contract allows an admin to recover any "stuck" ERC20 token:https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/strategies/votium/VotiumStrategyCore.sol#L215-L220
While this seems harmless and would allow the protocol to correct unexpected mistakes, it is important to note that the core of the Votium strategy is composed of CVX tokens. These tokens shouldn't be allowed to be recovered or withdrawn from the contract. Even if it is an owner controlled function, it is important to keep the transparency here.
Recommendation
Validate the token address is different from the CVX contract, to ensure that CVX tokens cannot be unintentionally withdrawn using this function.
function withdrawStuckTokens(address _token) public onlyOwner { + require(_token != CVX_ADDRESS); IERC20(_token).transfer( msg.sender, IERC20(_token).balanceOf(address(this)) ); }
Assessed type
Rug-Pull
The text was updated successfully, but these errors were encountered: