Closed code423n4 closed 2 years ago
Could change to this maybe?
function processExpiredLocks(bool relock) external override returns (bool) {
// if (relock) {
// require(!prepareWithdrawal, Error.PREPARED_WITHDRAWAL);
// }
if (!prepareWithdrawal) {
ICvxLocker(CVX_LOCKER).processExpiredLocks(relock);
} else {
ICvxLocker(CVX_LOCKER).withdrawExpiredLocksTo(treasury);
}
return true;
}
This has no potential loss of funds so should be a low
severity
Downgrading to Low / QA
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/CvxCrvRewardsLocker.sol#L130-L145
Vulnerability details
Impact
The
processExpiredLocks
function inCvxCrvRewardsLocker
is external and unpermissioned.When locks expire, a griefer can call or frontrun calls to this function to force withdrawal to the treasury.
Proof of Concept
CvxCrvRewardsLocker#processExpiredLocks
Scenario:
prepareWithdrawal
isfalse
.processExpiredLocks(true)
to relock the contract's CVX balance.processExpiredLocks(false)
.if
conditions check therelock
argument, CVX is withdrawn to the treasury rather than relocked.Recommended Mitigation Steps
Consider adding the
onlyGovernance
modifier to this function, or using the value ofpreparedWithdrawal
rather than therelock
argument.