c4-judge
commented
9 months ago 0xleastwood marked the issue as primary issue
Closed c4-submissions closed 9 months ago
c4-judge
commented
9 months ago 0xleastwood marked the issue as primary issue
0xleastwood
commented
9 months ago It's unclear to me, but I don't think VotiumStrategy holds any tokens and therefore, the rewarder in VotiumStrategyCore would be unable to rug by approving arbitrary tokens where they are the spender right? @elmutt
c4-judge
commented
9 months ago 0xleastwood marked the issue as selected for report
0xleastwood
commented
9 months ago It's unclear to me, but I don't think
VotiumStrategyholds any tokens and therefore, the rewarder inVotiumStrategyCorewould be unable to rug by approving arbitrary tokens where they are the spender right? @elmutt
Actually it is pretty clear that there will be tokens held by the contract.
c4-judge
commented
9 months ago 0xleastwood marked the issue as duplicate of #54
c4-judge
commented
9 months ago 0xleastwood marked the issue as not selected for report
c4-judge
commented
9 months ago 0xleastwood marked the issue as satisfactory
c4-judge
commented
9 months ago 0xleastwood marked the issue as partial-50
0xleastwood
commented
9 months ago Giving partial credit because it is missing a lot of context as compared to the primary issue.
Lines of code
https://github.com/code-423n4/2023-09-asymmetry/blob/6b4867491350f8327d0ac4f496f263642cf3c1be/contracts/strategies/votium/VotiumStrategyCore.sol#L287-L290
Vulnerability details
Description
VotiumStrategyCore.applyRewards()gives unlimited allowance on its claimed rewards tokens. It is not thereafter reset and there is not even any way to reset the allowance. It is dangerous to trust the spenders indefinitely in case they are compromised or otherwise turns undesirable.Recommended Mitigation Steps
Reset the allowance to 0 at the end of
applyRewards().Assessed type
ERC20