Closed code423n4 closed 2 years ago
@ judges, this report is lacking the actual functionality to do so - i am inclined to dispute this particular report to reward those that actually provided PoC.
@brockelmore - it is certainly light on the details, but does recommend a mitigation. I am going to leave it as a duplicate, but appreciate the sentiment that is would be hard if other's hadn't reported this issue to be sure of the vulnerability.
dupe of #199
Handle
gzeon
Vulnerability details
Impact
arbitraryCall
did not check the balances of incentives, which allow inherited governance to steal the incentives.Proof of Concept
https://github.com/code-423n4/2021-11-streaming/blob/56d81204a00fc949d29ddd277169690318b36821/Streaming/src/Locke.sol#L733
Recommended Mitigation Steps
Keep track of incentive token addresses in
createIncentive
and check the balance of each token before and after the arbitrary call to ensure trustlessness