cancelPromotion() Does Not Send Promotion Tokens Back to the Creator

[code423n4]

Handle

Meta0xNull

Vulnerability details

Impact

@notice Cancel currently active promotion and send promotion tokens back to the creator. The Notice Mention Token Send Back to the Creator.

_promotion.token.safeTransfer(_to, _remainingRewards); But in the code, Token Send to _to.

1. The code is different from what is written down.
2. There is no Validation address _to == Creator Address. Address _to Could Be Third Party Address or Account Not Under Control by Creator which mean is possible Creator lose fund.

Proof of Concept

https://github.com/pooltogether/v4-periphery/blob/ceadb25844f95f19f33cb856222e461ed8edf005/contracts/interfaces/ITwabRewards.sol#L56 https://github.com/pooltogether/v4-periphery/blob/b520faea26bcf60371012f6cb246aa149abd3c7d/contracts/TwabRewards.sol#L133

Tools Used

Manual Review

Recommended Mitigation Steps

Since the Creator is msg.sender, should Transfer Tokens back to msg.sender. _promotion.token.safeTransfer(msg.sender, _remainingRewards);

In cancelPromotion(), Remove Input address _to.

[PierrickGT]

This function is only callable by the promotion creator, the _to address param is here to offer the possibility to the creator to send the remaining funds to an address of his choosing, wether he his in control of it or not. For this reason, I've disputed the issue.

[dmvt]

The sponsor's explanation is valid but also confirms that the code comment is wrong. This is a valid low risk issue.

1 — Low (L): vulns that have a risk of 1 are considered “Low” severity when assets are not at risk. Includes state handling, function incorrect as to spec, and issues with comments.