Loss of funds via `distributeOther`

[code423n4]

Lines of code

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L203

Vulnerability details

Issue: distributeOther accepts an arbitrary token input, and is intended to distribute other tokens than the contract's primary tokens. It does not input validate that the token input is not primary token cvx

Consequence: Disruption in fund flow, potential breakage of protocol depending on upstream/downstream call flows. Funds leakage via incentive may break protocol invariants.

Proof of Concept:

• The contract ends up with CVX for any reason
• distributeOther is called with cvx address
• CVX tokens are sent to reward distributor as secondary token rewards.
• Caller recieves a cut of CVX via incentive.

Mitigations: Add input validation to distributeOther invalidating CVX as an input.

[dmvt]

This appears to be intended functionality and cvx seems to be enabled as a potential extra reward. The sponsor is specifically preventing cvx from being returned via rescueToken, so that it does have to pass through distributeOther to be removed from the contract. The warden does not show how this is a vulnerability or results in loss of funds. Given that the only use of the stored cvx address is to prevent it from being removed via rescueToken, I'm also not sure where the "primary token" classification came from here. Invalid.