Closed code423n4 closed 3 years ago
Fixed as recommended!
function sweepToken(EIP20NonStandardInterface token) override external { require(address(token) != underlying, "CErc20::sweepToken: can not sweep underlying token"); uint256 balance = token.balanceOf(address(this)); token.transfer(admin, balance); }
That's possible
Handle
gpersoon
Vulnerability details
Impact
The compound contracts have recently added the function sweepToken to CErc20.sol This function isn't present in the basedloans contract See: https://github.com/compound-finance/compound-protocol/commit/b198cb4dac977c61fa793ffe441c932438e83cdc
Proof of Concept
https://github.com/compound-finance/compound-protocol/blob/master/contracts/CErc20.sol#L116
function sweepToken(EIP20NonStandardInterface token) external { require(address(token) != underlying, "CErc20::sweepToken: can not sweep underlying token"); uint256 balance = token.balanceOf(address(this)); token.transfer(admin, balance); }
Tools Used
diff
Recommended Mitigation Steps
It might be useful to also add the function sweepToken