brockelmore
commented
2 years ago @ judges, this report is lacking the actual functionality to do so - i am inclined to dispute this particular report to reward those that actually provided PoC.
Closed code423n4 closed 2 years ago
brockelmore
commented
2 years ago @ judges, this report is lacking the actual functionality to do so - i am inclined to dispute this particular report to reward those that actually provided PoC.
0xean
commented
2 years ago @brockelmore - it is certainly light on the details, but does recommend a mitigation. I am going to leave it as a duplicate, but appreciate the sentiment that is would be hard if other's hadn't reported this issue to be sure of the vulnerability.
0xean
commented
2 years ago dupe of #199
Handle
gzeon
Vulnerability details
Impact
arbitraryCalldid not check the balances of incentives, which allow inherited governance to steal the incentives.Proof of Concept
https://github.com/code-423n4/2021-11-streaming/blob/56d81204a00fc949d29ddd277169690318b36821/Streaming/src/Locke.sol#L733
Recommended Mitigation Steps
Keep track of incentive token addresses in
createIncentiveand check the balance of each token before and after the arbitrary call to ensure trustlessness