Attacker can steal part of the rewards if one of the `extraRewards` is rewarded with Convex Token

[code423n4]

Handle

WatchPug

Vulnerability details

Given that ConvexYieldWrapper.sol#wrap() allows anyone to wrap with the contract's balance of convexToken to an arbitrary address.

https://github.com/code-423n4/2022-01-yield/blob/e946f40239b33812e54fafc700eb2298df1a2579/contracts/ConvexYieldWrapper.sol#L125-L135

function wrap(address to_, address from_) external {
    require(!isShutdown, "shutdown");
    uint256 amount_ = IERC20(convexToken).balanceOf(address(this));
    require(amount_ > 0, "No convex token to wrap");

    _checkpoint([address(0), from_]);
    _mint(to_, amount_);
    IRewardStaking(convexPool).stake(amount_);

    emit Deposited(msg.sender, to_, amount_, false);
}

If one of the extraRewards provided by Convex's Staking program is rewarded with Convex Token, then the attacker will be able to steal the Convex Token rewards simply by calling ConvexYieldWrapper.sol#wrap().

Considering that providing staking rewards with the platform's house token is rather common and popular, we believe it should be taken into consideration.

Recommendation

Consdier changing to:

function wrap(address to_, address from_, uint256 amount_) external {
    require(!isShutdown, "shutdown");
    IERC20(convexToken).transferFrom(from_, address(this), amount_);
    _checkpoint([address(0), from_]);
    _mint(to_, amount_);
    IRewardStaking(convexPool).stake(amount_);

    emit Deposited(msg.sender, to_, amount_, false);
}

[iamsahu]

The wrapper is used to wrap convex token which are wrapped curve LP tokens. As a reward only CRV or CVX tokens are rewarded. Apart from there would be other tokens but never convex wrapped curve LP tokens. So, based on this assumption the above attack is not possible.

[GalloDaSballo]

Per the sponsor reply, the finding is invalid