search

code-423n4 / 2021-11-vader-findings

0 stars 0 forks source link

VaderPoolV2.rescue results in loss of funds rather than recoverability #251

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

TomFrench

Vulnerability details

Impact

Any unaccounted for tokens on VaderPoolV2 can be siphoned off by anyone

Proof of Concept

VaderPoolV2 has a rescue function which allows any unaccounted for tokens to be recovered.

https://github.com/code-423n4/2021-11-vader/blob/429970427b4dc65e37808d7116b9de27e395ce0c/contracts/dex-v2/pool/BasePoolV2.sol#L505-L517

However there is no access control on this function which means than should any tokens be sent to VaderPoolV2 by accident they'll just be scooped up by flashbots rather than being recoverable by the original owner or Vader governance.

This also means that any rebasing tokens which are deposited into VaderPoolV2 will have any rebases lost rather than being recoverable by Vader governance.

Recommended Mitigation Steps

Permission this function to only allow Vader governance to claim tokens.

SamSteinGG commented 2 years ago

Duplicate #28

alcueca commented 2 years ago

Not a duplicate, this issue correctly states that the function is vulnerable to front-running.

SamSteinGG commented 2 years ago

The function is equivalent to the Uniswap V2 rescue function which is not classified as incorrect.