The contract TracerPerpetualSwaps inherits from SafetyWithdraw, which means the function withdrawERC20Token is possible,
This allows the projectowners to withdraw the ERC20 tokens from the contract, which can be seen as a rug pull
Also the tvl variable and other administration is not updated.
Handle
gpersoon
Vulnerability details
Impact
The contract TracerPerpetualSwaps inherits from SafetyWithdraw, which means the function withdrawERC20Token is possible, This allows the projectowners to withdraw the ERC20 tokens from the contract, which can be seen as a rug pull
Also the tvl variable and other administration is not updated.
Even this is well intended the project could still be call out, see for example: https://twitter.com/RugDocIO/status/1408097542202531840)
Proof of Concept
// https://github.com/code-423n4/2021-06-tracer/blob/main/src/contracts/TracerPerpetualSwaps.sol#L20 contract TracerPerpetualSwaps is ITracerPerpetualSwaps, Ownable, SafetyWithdraw {
//https://github.com/code-423n4/2021-06-tracer/blob/main/src/contracts/lib/SafetyWithdraw.sol#L7 contract SafetyWithdraw is Ownable, ISafetyWithdraw { function withdrawERC20Token(address tokenAddress, address to, uint256 amount) external override onlyOwner { IERC20(tokenAddress).transfer(to, amount); } }
Tools Used
Recommended Mitigation Steps
Remove the code or limit the period for which it can be performed.