code-423n4 / 2021-09-sushimiso-findings

0 stars 0 forks source link

TODO comment indicates missing sweep functionality #69

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

0xRajeev

Vulnerability details

Impact

The comment “// TODO // GP: Sweep non relevant ERC20s / ETH” on missing logic indicates the need for an admin sweep of tokens (besides token1/token2) and ETH accidentally sent to this contract. However, this functionality is absent and may result in locked tokens/ETH.

Proof of Concept

https://github.com/sushiswap/miso/blob/2cdb1486a55ded55c81898b7be8811cb68cfda9e/contracts/Liquidity/PostAuctionLauncher.sol#L318-L319

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add functionality or remove comment.

Clearwood commented 3 years ago

Unimplemented functionality does not constitute a bug in itself

ghoul-sol commented 3 years ago

I guess what sponsor says that that functionality is not needed after all making this invalid.