c4-judge
commented
1 year ago kirk-baird marked the issue as satisfactory
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago kirk-baird marked the issue as satisfactory
Lines of code
Vulnerability details
Mitigation of M-09: Issue mitigated
Mitigated issue
M-09: withdrawAllAndUnwrap() the clpToken transfer to AMO.sol may be locked in the contract Fix: https://github.com/code-423n4/2023-05-xeth/commit/a840dc0b8a1de59a3ea06e0814ea3ce26707bdae
The issue was that
CVXStaker.withdrawAllAndUnwrap()may transfer CLP tokens to the operator AMO2, which cannot make use of them, and hence they are stuck.Mitigation review
The tokens are sent to the sender, which can only be the owner, instead of the operator. Furthermore a function
recoverToken()is added to AMO2 which the admin can call to recover any token. This eliminates the issue.