The CVXStaker contract contains a function to recover ERC20 tokens but fails to consider ETH.
Impact
The CVXStaker contract contains a safeguard function to recover any ERC20 token which may incorrectly be sent to the contract or missed to be considered in the integration with Convex. This is present in the function recoverToken():
Lines of code
https://github.com/code-423n4/2023-05-xeth/blob/main/src/CVXStaker.sol#L11
Vulnerability details
CVXStaker cannot recover ETH
The
CVXStaker
contract contains a function to recover ERC20 tokens but fails to consider ETH.Impact
The
CVXStaker
contract contains a safeguard function to recover any ERC20 token which may incorrectly be sent to the contract or missed to be considered in the integration with Convex. This is present in the functionrecoverToken()
:https://github.com/code-423n4/2023-05-xeth/blob/main/src/CVXStaker.sol#L101-L109
However, the implementation fails to consider ETH, as the
recoverToken()
can only be used for ERC20 tokens.Recommendation
Assessed type
ETH-Transfer