admin can rug

[code423n4]

Lines of code

https://github.com/code-423n4/2022-03-paladin/blob/main/contracts/PaladinRewardReserve.sol#L52

Vulnerability details

In the function transferToken, the admin can steal all the money.

[Kogaroshi]

This PaladinRewardReserve contract is meant to hold the rewards to distribute to users staking & locking in the hPAL contract, and not user deposited funds. Hence this contract cannot allow the admin of the contract to steal user funds.

This PaladinRewardReserve contract is also designed to be controlled through a multisig, and to receive rewards to distribute based on Paladin Governance decisions. The rewards held there, while not distributed, are in the control of the DAO.

[0xean]

While they may not be user funds, the warden is correct that the admin is able to remove funds freely from the contract. Even with a multisig in place these seems like some very liberal owner functionality that as other's have suggested ( #31 ) might warrant additional measures in place to prevent abuse. I am going to re-open this and mark it as a duplicate to #31 as I think it's definitely a risk in the system as written.