Closed c4-submissions closed 9 months ago
0xleastwood marked the issue as primary issue
It's unclear to me, but I don't think VotiumStrategy
holds any tokens and therefore, the rewarder in VotiumStrategyCore
would be unable to rug by approving arbitrary tokens where they are the spender right? @elmutt
0xleastwood marked the issue as selected for report
It's unclear to me, but I don't think
VotiumStrategy
holds any tokens and therefore, the rewarder inVotiumStrategyCore
would be unable to rug by approving arbitrary tokens where they are the spender right? @elmutt
Actually it is pretty clear that there will be tokens held by the contract.
0xleastwood marked the issue as duplicate of #54
0xleastwood marked the issue as not selected for report
0xleastwood marked the issue as satisfactory
0xleastwood marked the issue as partial-50
Giving partial credit because it is missing a lot of context as compared to the primary issue.
Lines of code
https://github.com/code-423n4/2023-09-asymmetry/blob/6b4867491350f8327d0ac4f496f263642cf3c1be/contracts/strategies/votium/VotiumStrategyCore.sol#L287-L290
Vulnerability details
Description
VotiumStrategyCore.applyRewards()
gives unlimited allowance on its claimed rewards tokens. It is not thereafter reset and there is not even any way to reset the allowance. It is dangerous to trust the spenders indefinitely in case they are compromised or otherwise turns undesirable.Recommended Mitigation Steps
Reset the allowance to 0 at the end of
applyRewards()
.Assessed type
ERC20