Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/CvxCrvRewardsLocker.sol#L211
This will make unauthorized users lock all rewards on the protocol
Compile the following contract : https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/CvxCrvRewardsLocker.sol#L211 as normal user, call the function lockRewards from CvxCrvRewardsLocker contract, this will later calls the _lockCvx(); and _lockCrv(); functions these will makes the total balance and all tokens (CRV and CVX) locked for cvxCRV and staked on Convex
Make the function only executable by owners or make an extra role (locker) as example :
modifier locker() { require(msg.sender == locker); _; } function setLocker(address newLocker) onlyowner public { locker = NewLocker; }
It is the intended purpose for users to be able to relock on behalf of the protocol.
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/CvxCrvRewardsLocker.sol#L211
Vulnerability details
Impact
This will make unauthorized users lock all rewards on the protocol
Proof of Concept
Compile the following contract : https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/CvxCrvRewardsLocker.sol#L211 as normal user, call the function lockRewards from CvxCrvRewardsLocker contract, this will later calls the _lockCvx(); and _lockCrv(); functions these will makes the total balance and all tokens (CRV and CVX) locked for cvxCRV and staked on Convex
Recommended Mitigation Steps:
Make the function only executable by owners or make an extra role (locker) as example :