r2moon
commented
2 years ago owner is a multisig & timelock. new depositors can be added later as well.
Open code423n4 opened 2 years ago
r2moon
commented
2 years ago owner is a multisig & timelock. new depositors can be added later as well.
GalloDaSballo
commented
2 years ago I think the warden could have done a better job at writing a POC.
That said the finding is valid, the sponsor could set a depositor to be any EOA and because there's no transfer of tokens the balances could be inflated. Setting an immutable depositor would bring stronger security guarantees instead of allowing any contract to become a depositor.
Because this is contingent on admin privilege, I believe medium severity to be more appropriate
Lines of code
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/MasterChef.sol#L78-L80 https://github.com/code-423n4/2022-02-concur/blob/main/contracts/MasterChef.sol#L157-L180
Vulnerability details
Impact
Owner can steal Concur rewards by adding a depositor and inflating other depositors' assigned balance of the token within the contract. Thus, the owner-managed depositor can get most (all but one wei) of the created tokens.
Tools Used
Manual analysis
Recommended Mitigation Steps
Do not allow the owner to add depositors after the depositors have been configured.