bunkerfinance-dev
commented
2 years ago We don't find any sort of "admin can rug" type of issue as high severity; in the future we will replace the admin with a timelock and/or governance.
Closed code423n4 closed 2 years ago
bunkerfinance-dev
commented
2 years ago We don't find any sort of "admin can rug" type of issue as high severity; in the future we will replace the admin with a timelock and/or governance.
Lines of code
https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/CNft.sol#L16 https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/CNft.sol#L274-L282
Vulnerability details
Impact
The
CNft.solcontract is deployed to allow users to deposit NFTs and mintERC1155tokens. These minted tokens can be deposited in Bunker finance's compound fork to earn yield. Because this contract is upgradeable, the deployer who is assumed to be the Bunker team can upgrade the contract to bypass the current implementation ofcall()which is restricted to prevent arbitrary calls to the underlying NFT. As a result, ifcall()is modified to not check that `to != underlying, then the contract owner could transfer out all NFTs.Recommended Mitigation Steps
Consider removing the contract's upgradeability as it introduces numerous rug vectors to its userbase.