Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/core/InfinityExchange.sol#L1220

Vulnerability details

Impact

During the code review, It has been observed the all currency tokens can be withdraw by owner without timelock. The currency token should not be withdrawn by owner. This poses centralization risk.

Proof of Concept

Navigate to the following contract function.

  function rescueTokens(
    address destination,
    address currency,
    uint256 amount
  ) external onlyOwner {
    IERC20(currency).safeTransfer(destination, amount);
  }

Tools Used

Code Review

Recommended Mitigation Steps

We advise the client to carefully manage the onlyOwner account private key to avoid any potential risks of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol to be improved via a decentralized mechanism or smart-contract-based accounts with enhanced security practices, e.g., Multisignature wallets.

Define maximum total supply.
Indicatively, here is some feasible suggestions that would also mitigate the potential risk at the different level in term of short-term and long-term goal:
Time-lock with reasonable latency, e.g. 48 hours, for awareness on privileged operations; Assignment of privileged roles to multi-signature wallets to prevent a single point of failure due to the private key;
Introduction of a DAO/governance/voting module to increase transparency and user involvement.

code-423n4 / 2022-06-infinity-findings