BathToken uninitialized rewardsVestingWallet leading to loss of funds

[code423n4]

Lines of code

https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathToken.sol#L80 https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathToken.sol#L642-L650

Vulnerability details

Impact

Contract BathToken.sol implements distributeBonusTokenRewards function that allows distributing non-underlying bath token incentives to pool withdrawers. In case of rewardsVestingWallet being set implementation triggers release function of rewardsVestingWallet. The issue is that rewardsVestingWallet is uninitalized (set to zero address) and cannot be set in any way which means that there is no way of executing rewardsVestingWallet.release logic. The result is that function distributeBonusTokenRewards does not work which leads to loss of bonus token rewards thus effectively loss of funds.

Proof of Concept

• https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathToken.sol#L80
• https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathToken.sol#L642-L650

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to initialize value of rewardsVestingWallet in initialize or add additional function for setting its value.

[bghughes]

OK issue. There are no bonus tokens to lose at the moment. See #168 #43