code423n4 commented 2 years ago

Handle

0x1f8b

Vulnerability details

Impact

Owner can steal the funds.

Proof of Concept

The owner has the method shutdownAndRescue for retrive all the convexToken tokens and shutdown the service, but using recoverERC20 is possible to drain this funds without shutdown the service, it should be checked that the token is not convexToken inside this method.

Affected method:

ConvexYieldWrapper:recoverERC20

Tools Used

Manual review.

Recommended Mitigation Steps

Add a check inside recoverERC20 to check that the token is not convexToken

alcueca commented 2 years ago

The wrapper is designed so that it never holds any convex token that would be destined for wrapping when a transaction ends. The only tokens that can ever be present in the wrapper are non-distributed rewards.

If any convex is left in the wrapper without calling wrap, it will be harvested by bots, and we are fine with that as explained in the README.

GalloDaSballo commented 2 years ago

As per the sponsor reply, the wrapper is a utility tool meant to be called atomically by other smart contracts. No funds are supposed to be stuck in this wrapper. For this reason, and because the warden failed to display a way for funds to be stuck, I believe the finding to be invalid

code-423n4 / 2022-01-yield-findings