search

code-423n4 / 2023-06-xeth-mitigation-findings

0 stars 0 forks source link

M-09 MitigationConfirmed #14

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

Vulnerability details

Comments

The M-09 issue shows that the tokens sent to the AMO from the staker by withdrawAllAndUnwrap function will stuck in the contract forever because there is not an external interface to transfer tokens from the AMO contract directly.

The mitigation commit adds two changes:

  1. AMO adds a recoverToken function which is used to withdraw specified tokens in the contract by the admin.
  2. CVXStaker changes the target address of the withdrawAllAndUnwrap function. The tokens will be sent to the msg.sender, which is limited by the onlyOwner modifier and must be the owner address, instead of the AMO contract.

So all the tokens are available for the admin in the AMO and CVXStaker.

c4-judge commented 1 year ago

kirk-baird marked the issue as satisfactory

c4-judge commented 1 year ago

kirk-baird marked the issue as confirmed for report