PlamenTSV
commented
6 months ago I agree it seems like a missed inconsistency, will ask about this and get back.
Open hats-bug-reporter[bot] opened 6 months ago
PlamenTSV
commented
6 months ago I agree it seems like a missed inconsistency, will ask about this and get back.
0xMR0
commented
6 months ago @PlamenTSV i think, it is not valid issue. this issue considers future scenario which is not in scope also sendToken can be called by owner only so centralize issue, at best informational issue
walk-on-me
commented
6 months ago This is a valid issue
We should iterate through the rewardTokenConfig array instead of these hardcoded addresses
It's indeed a Low issue
Github username: @NicolaMirchev Twitter username: nmirchev8 Submission hash (on-chain): 0x87b9161cbee385de744dd7e4eae4373eefec858382dde8fc4ab5117587d9ea75 Severity: low
Description: Description\ Inside
CvxConvergenceLockerthere is restricted functionsendTokens, which has modifieronlyOwnerand it is used to transfer locked funds in the contract, which are different from the reward tokens as we can see the following lines:The problem is that new reward tokens may be added from CVX_LOCKER using
addReward, butsendTokensdoesn't check for such new reward tokens and so owner may tranfer them out of the locker contract.Attack Scenario\
Owner of
CvxLockercallsaddRewardwith a new reward token different from [CVX, CRV, FXS] (maybe CVX1)Some reward value is accumulated for
CvxConvergenceLockerand whenCvxConvergenceLocker::pullRewards, it is transferred to the locker contract, butCVX1is still not added torewardTokensConfiguration, so it is left in this contractNow owner calls
sendTokenswith the address ofCVX1and user rewards are sent outside of the contract. AttachmentsProof of Concept (PoC) File
Revised Code File (Optional) Inside
sendTokenscheck dynamically whetertokens[i]is not present inCvxLocker::rewardTokens()