Open c4-submissions opened 1 year ago
0xleastwood marked the issue as primary issue
0xleastwood marked the issue as selected for report
elmutt (sponsor) confirmed
elmutt marked the issue as disagree with severity
elmutt (sponsor) acknowledged
0xleastwood marked the issue as not selected for report
Not sure if I agree with the severity here. Let's say setFeeAddress()
is called during contract deployment, can anything really be done by front-running this and calling depositRewards()
? It doesn't seem to be the case. Downgrading to QA.
0xleastwood changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/AfEth.sol#L277
Vulnerability details
Summary
The address to which fees are sent is not initialized in the AfEth contract, and could cause loss of funds if fees are collected before this address is properly configured.
Impact
AfEth protocol fees are collected from rewards coming from the Votium strategy. After tokens are claimed, the
depositRewards()
will take a portion of it and send them to the configuredfeeAddress
.https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/AfEth.sol#L272-L279
The main issue here is that this address is not part of the contract initialization. If left uninitialized, the implementation will send the collected ETH from fees to the
address(0)
.Recommendation
Configure the
feeAddress
in the contract's initializer to make sure this address is correctly configured when the instance is set up.Assessed type
ETH-Transfer