code-423n4 / 2022-06-nested-findings

0 stars 1 forks source link

Owner can sweep any token #37

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-nested/blob/main/contracts/NestedFactory.sol#L175

Vulnerability details

Impact

Admin can sweep any token even if the token is in use by the contract. Ideally only non blacklisted tokens should be allowed by unlockTokens function

function unlockTokens(IERC20 _token) external override onlyOwner {
        uint256 amount = _token.balanceOf(address(this));
        SafeERC20.safeTransfer(_token, msg.sender, amount);
        emit TokensUnlocked(address(_token), amount);
    }

Recommended Mitigation Steps

Add a check to disallow all tokens which are used by the contract

obatirou commented 2 years ago

Owner can sweep any token (disputed)

NestedFactory does not store funds The unlockFunction is here only to retrieve funds in case a user send funds to the contract even if they should not to