The bETH reward contract pays out a reward_denom token to all config.token_contract holders.
This config.token_contract can be changed by the owner at any time through the execute_post_initialize function.
Changing the token contract will break all bETH transfers as the token check fails on the increase/decrease_balance calls that are triggered on each transfer.
It also allows the deployer to set it to their own, private token contract and earn all rewards.
It's a centralization risk on a potentially malicious/compromised owner with a big impact that can be avoided.
Recommended Mitigation Steps
Only allow setting the config.token_contract once instead.
Lines of code
https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/anchor-bEth-contracts/contracts/anchor_beth_reward/src/owner.rs#L18
Vulnerability details
Impact
The bETH reward contract pays out a
reward_denom
token to allconfig.token_contract
holders. Thisconfig.token_contract
can be changed by the owner at any time through theexecute_post_initialize
function.Changing the token contract will break all bETH transfers as the token check fails on the
increase/decrease_balance
calls that are triggered on each transfer. It also allows the deployer to set it to their own, private token contract and earn all rewards.It's a centralization risk on a potentially malicious/compromised owner with a big impact that can be avoided.
Recommended Mitigation Steps
Only allow setting the
config.token_contract
once instead.