Owner of CVXRewardDistributor can steal all the cvx1 & CVX tokens from it

[hats-bug-reporter[bot]]

Github username: @0xumarkhatab Twitter username: 0xumarkhatab Submission hash (on-chain): 0x9e7d3e6658f64e6bac35f885204a474a01ef1278ef7397708688d284b003bbe1 Severity: medium

Description: Description\ The owner of CVXRewardDistributor can approve any arbitrary address to be approved of trading tokens cvx and cvx1 on behalf of rewardsDistributor. So if rewards contract contains the cvx and cvx1 tokens in any scenario , the owner can potentially steal all those assets by passing arbitrary address _poolCvgCvxCvx1 and then resetting the correct address in CvxRewardDistributor#setPoolCvgCvxCvx1AndApprove

Attack Scenario\

function setPoolCvgCvxCvx1AndApprove(ICrvPoolPlain _poolCvgCvxCvx1, uint256 amount) external onlyOwner {
        /// @dev Remove approval from previous pool
        if (address(poolCvgCvxCvx1) != address(0)) cvx1.approve(address(poolCvgCvxCvx1), 0);

        poolCvgCvxCvx1 = _poolCvgCvxCvx1;
        cvx1.approve(address(_poolCvgCvxCvx1), amount);
        CVX.approve(address(cvxConvergenceLocker), amount);
    }

Theis method sets the new pool address given by owner but first it des not verify that the passed address is infact one of pool and not an arbitrary address that appears to be wrapped around the ICrvPoolPlain interface .

This poses a significant threat to tokens inside the rewards distributor contract which could be stolen by malicious owner.

The owner would approve all the tokens to this address and then call transfer from on the cvx and cvx1 contracts .

The likelihood is Low but the impact is high so I'm reporting it as medium.

Attachments N/A

1. Proof of Concept (PoC) File Please read the vulnerability detail section

2. Revised Code File (Optional) Inside the setPoolCvgCvxCvx1AndApprove, ensure that the address is infact the pool address that the contract is approving tokens to .

[0xumarkhatab]

This was accidently submitted twice . please close this one #47 is the first one submitted