Open code423n4 opened 2 years ago
https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L275-L282
A malicious owner or manager can steal all Aave rewards that are meant for PoolTogether users
Even if the user is benevolent the fact that there is a rug vector available may negatively impact the protocol's reputation.
File: contracts/AaveV3YieldSource.sol #X 275 function claimRewards(address _to) external onlyManagerOrOwner returns (bool) { 276 require(_to != address(0), "AaveV3YS/payee-not-zero-address"); 277 278 address[] memory _assets = new address[](1); 279 _assets[0] = address(aToken); 280 281 (address[] memory _rewardsList, uint256[] memory _claimedAmounts) = rewardsController 282 .claimAllRewards(_assets, _to);
the claimRewards() function allows the caller to send the rewards to an arbitrary address
claimRewards()
Code inspection
Use a poolAddressesProviderRegistry-like contract to determine where the rewards should go, instead of letting an address be passed in
poolAddressesProviderRegistry
Duplicate of https://github.com/code-423n4/2022-04-pooltogether-findings/issues/55
Lines of code
https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L275-L282
Vulnerability details
Impact
A malicious owner or manager can steal all Aave rewards that are meant for PoolTogether users
Even if the user is benevolent the fact that there is a rug vector available may negatively impact the protocol's reputation.
Proof of Concept
https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L275-L282
the
claimRewards()
function allows the caller to send the rewards to an arbitrary addressTools Used
Code inspection
Recommended Mitigation Steps
Use a
poolAddressesProviderRegistry
-like contract to determine where the rewards should go, instead of letting an address be passed in