chase-manning
commented
2 years ago It is the intended purpose for users to be able to relock on behalf of the protocol.
Closed code423n4 closed 2 years ago
chase-manning
commented
2 years ago It is the intended purpose for users to be able to relock on behalf of the protocol.
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/CvxCrvRewardsLocker.sol#L211
Vulnerability details
Impact
This will make unauthorized users lock all rewards on the protocol
Proof of Concept
Compile the following contract : https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/CvxCrvRewardsLocker.sol#L211 as normal user, call the function lockRewards from CvxCrvRewardsLocker contract, this will later calls the _lockCvx(); and _lockCrv(); functions these will makes the total balance and all tokens (CRV and CVX) locked for cvxCRV and staked on Convex
Recommended Mitigation Steps:
Make the function only executable by owners or make an extra role (locker) as example :