Closed code423n4 closed 1 year ago
The _rescueFunds() function can only be called by the Comptroller admin, not the MultiRewardDistributor admin.
They're the same.
Inflated and invalid assumption.
0xSorryNotSorry marked the issue as low quality report
Add a _reclaimExcessTokens function that allows a config owner to withdraw their excess rewards that have accrued.
That's not a terrible suggestion. However, given that there is a way out for the sponsor in _rescueFunds
and the overinflated severity, I'll just mark this as invalid.
alcueca marked the issue as unsatisfactory: Overinflated severity
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L2-L1248
Vulnerability details
Impact
Funds get locked in contract resulting to Loss of asset control, funds and increased costs to recover fund
Proof of Concept
Reviewing the list of external and public functions, there is no withdraw() or reclaim() function:
There are no modifiers like onlyAdmin that restrict access to a withdrawal function. So in summary, the lack of any external withdrawal capability indicates there is no way to reclaim funds from this contract currently.
withdrawing excess tokens could be useful for the following reasons
Tools Used
Manual
Recommended Mitigation Steps
Assessed type
Other