search

code-423n4 / 2023-05-xeth-findings

0 stars 0 forks source link

CVXStaker cannot recover ETH #31

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-xeth/blob/main/src/CVXStaker.sol#L11

Vulnerability details

CVXStaker cannot recover ETH

The CVXStaker contract contains a function to recover ERC20 tokens but fails to consider ETH.

Impact

The CVXStaker contract contains a safeguard function to recover any ERC20 token which may incorrectly be sent to the contract or missed to be considered in the integration with Convex. This is present in the function recoverToken():

https://github.com/code-423n4/2023-05-xeth/blob/main/src/CVXStaker.sol#L101-L109

101:     function recoverToken(
102:         address token,
103:         address to,
104:         uint256 amount
105:     ) external onlyOwner {
106:         IERC20(token).safeTransfer(to, amount);
107: 
108:         emit RecoveredToken(token, to, amount);
109:     }

However, the implementation fails to consider ETH, as the recoverToken() can only be used for ERC20 tokens.

Recommendation

function recoverETH(address to, uint256 amount) external onlyOwner {
    payable(to).transfer(amount);
}

Assessed type

ETH-Transfer

kirk-baird commented 1 year ago

Not recovering ETH stuck in the contract is considered a QA issue.

c4-judge commented 1 year ago

kirk-baird changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

kirk-baird marked the issue as grade-a

c4-sponsor commented 1 year ago

vaporkane marked the issue as sponsor confirmed