The vulnerability in the MultiRewardStaking and VaultController contracts lies in the usage of the transfer and transferFrom functions, which does not provide the safety checks for the transfer of tokens, especially since the reward token can have arbitrary implementation. If the recipient contract does not have a function to handle the incoming tokens, it can result in the loss of tokens.
The recommended solution is to use the safeTransfer and safeTransferFrom functions from OpenZeppelin's contracts library, which provide the necessary safety checks to ensure the transfer of tokens is successful and secure.
Lines of code
https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/utils/MultiRewardStaking.sol#L182 https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/VaultController.sol#L457 https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/VaultController.sol#L526
Vulnerability details
Impact
The vulnerability in the MultiRewardStaking and VaultController contracts lies in the usage of the
transfer
andtransferFrom
functions, which does not provide the safety checks for the transfer of tokens, especially since the reward token can have arbitrary implementation. If the recipient contract does not have a function to handle the incoming tokens, it can result in the loss of tokens.Proof of Concept
Line https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/utils/MultiRewardStaking.sol#L182
Line https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/VaultController.sol#L457
Line https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/VaultController.sol#L526
Tools Used
Manual analysis
Recommended Mitigation Steps
The recommended solution is to use the
safeTransfer
andsafeTransferFrom
functions from OpenZeppelin's contracts library, which provide the necessary safety checks to ensure the transfer of tokens is successful and secure.