Vulnerability in Token Conversion Allows Unauthorized Withdrawal of bTokens

hats-finance / Possum-Labs--Portals--0xed8965d49b8aeca763447d56e6da7f4e0506b2d3

GNU General Public License v2.0

0 stars 2 forks source link

Vulnerability in Token Conversion Allows Unauthorized Withdrawal of bTokens #56

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @hama-tech Twitter username: -- Submission hash (on-chain): 0x7fce70896838c529ced045c2a9b5e718edfefc804d74e35b9d4ebdb01325c147 Severity: high

Description: Description\ Describe the context and the effect of the vulnerability.

Attack Scenario\ Describe how the vulnerability can be exploited.

Attachments

Proof of Concept (PoC) File
Revised Code File (Optional)

PossumLabsCrypto commented 1 year ago

If there are bTokens inside the Portal, they can be withdrawn via convert(). This is intended.

bTokens should never be inside the Portal unless users send them by accident. In this case it is good to retrieve some value for the Portal via convert().