Any extra reward tokens that accumulate in the contract remain locked there permanently.

[code423n4]

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L2-L1248

Vulnerability details

Impact

Funds get locked in contract resulting to Loss of asset control, funds and increased costs to recover fund

Proof of Concept

Reviewing the list of external and public functions, there is no withdraw() or reclaim() function:

2. Scanning the contract code, there are no internal or private functions for withdrawals either.
3. The _rescueFunds() function can only be called by the Comptroller admin, not the MultiRewardDistributor admin.

There are no modifiers like onlyAdmin that restrict access to a withdrawal function. So in summary, the lack of any external withdrawal capability indicates there is no way to reclaim funds from this contract currently.

withdrawing excess tokens could be useful for the following reasons

• If configured emission speeds are too high, excess tokens build up in the contract. The admin may want to reclaim these.
• If reward emission is turned off, leftover tokens remain locked in the contract. There is no way to get these out.
• When upgrading the reward distributor to a new contract, excess tokens in the old contract remain locked. There is no way to migrate them.
• If the emission token is upgraded/swapped, the old tokens remain stuck in the contract.

Tools Used

Manual

Recommended Mitigation Steps

• Add a _reclaimExcessTokens function that allows a config owner to withdraw their excess rewards that have accrued.
• Allow the _rescueFunds function to specify the beneficiary, rather than always being the Comptroller admin.
• Automatically sweep excess rewards to config owners on a regular basis.

Assessed type

Other

[0xSorryNotSorry]

The _rescueFunds() function can only be called by the Comptroller admin, not the MultiRewardDistributor admin.

They're the same.

Inflated and invalid assumption.

[c4-pre-sort]

0xSorryNotSorry marked the issue as low quality report

[alcueca]

Add a _reclaimExcessTokens function that allows a config owner to withdraw their excess rewards that have accrued.

That's not a terrible suggestion. However, given that there is a way out for the sponsor in _rescueFunds and the overinflated severity, I'll just mark this as invalid.

[c4-judge]

alcueca marked the issue as unsatisfactory: Overinflated severity