search

code-423n4 / 2022-02-concur-findings

2 stars 0 forks source link

StakingRewards.recoverERC20 allows owner to rug the `rewardsToken` #69

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-concur/blob/main/contracts/StakingRewards.sol#L166

Vulnerability details

Impact

StakingRewards.recoverERC20 rightfully checks against the stakingToken being sweeped away. However there's no check against the rewardsToken which over time will sit in this contract.

This is the case of an admin privilege, which allows the owner to sweep the rewards tokens, perhaps as a way to rug depositors

Proof of Concept

calling StakingRewards.recoverERC20(rewardsToken, rewardsToken.balanceOf(this)) enables the owner to sweep the token

Recommended Mitigation Steps

Add an additional check

        require(
            tokenAddress != address(rewardsToken),
            "Cannot withdraw the rewards token"
        );
GalloDaSballo commented 2 years ago

Because I'm judging the contest am forfeiting any warden winnings.

The sponsor confirms and I believe this to be medium severity as it is contingent on a malicious owner. Adding the extra check removes the rug vector