code-423n4 / 2022-04-pooltogether-findings

0 stars 0 forks source link

Owner or Managers can rug Aave rewards #89

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L275-L282

Vulnerability details

Impact

A malicious owner or manager can steal all Aave rewards that are meant for PoolTogether users

Even if the user is benevolent the fact that there is a rug vector available may negatively impact the protocol's reputation.

Proof of Concept

File: contracts/AaveV3YieldSource.sol   #X

275     function claimRewards(address _to) external onlyManagerOrOwner returns (bool) {
276       require(_to != address(0), "AaveV3YS/payee-not-zero-address");
277   
278       address[] memory _assets = new address[](1);
279       _assets[0] = address(aToken);
280   
281       (address[] memory _rewardsList, uint256[] memory _claimedAmounts) = rewardsController
282         .claimAllRewards(_assets, _to);

https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L275-L282

the claimRewards() function allows the caller to send the rewards to an arbitrary address

Tools Used

Code inspection

Recommended Mitigation Steps

Use a poolAddressesProviderRegistry-like contract to determine where the rewards should go, instead of letting an address be passed in

PierrickGT commented 2 years ago

Duplicate of https://github.com/code-423n4/2022-04-pooltogether-findings/issues/55