Closed code423n4 closed 10 months ago
0xSorryNotSorry marked the issue as low quality report
lyoungblood marked the issue as sponsor disputed
The assumption here is that _rescueFunds
is not supposed to be able to sweep everything. It would be very useful to rescue funds in a crisis situation to avoid being hacked.
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9ay9497d0da09105df4df/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L471-L487
Vulnerability details
Impact
abuse of sweeping arbitrary tokens.
Proof of Concept
The _rescueFunds function allows sweeping any tokens, when it should only allow sweeping of the underlying asset
Tools Used
Manual
Recommended Mitigation Steps
Assessed type
Other