Compromised or malicious owner can easily rug 100% of user tokens held in Lender.sol
Summary
The protocol has implemented a delay for withdraw but it can be very easily skipped by a compromised or malicious owner, resulting in a 100% rug for users.
Vulnerability Detail
Lender.sol has a withdraw mechanism for an owner that includes a 3 day delay so admin can't rug users. This is good, but it can be bypassed very easily with the second approve method in the same contract - with it the owner can approve any address to spend any amount of any token any time. The same can happen for non-uderlying tokens with the first approve method in the contract.
Impact
The impact can be 100% of users' tokens locked in Lender.sol being lost permanently, but it requires a malicious/compromised owner, hence Medium severity.
pashov
medium
Compromised or malicious owner can easily rug 100% of user tokens held in
Lender.sol
Summary
The protocol has implemented a delay for
withdraw
but it can be very easily skipped by a compromised or malicious owner, resulting in a 100% rug for users.Vulnerability Detail
Lender.sol
has a withdraw mechanism for an owner that includes a 3 day delay so admin can't rug users. This is good, but it can be bypassed very easily with the secondapprove
method in the same contract - with it the owner can approve any address to spend any amount of any token any time. The same can happen for non-uderlying tokens with the firstapprove
method in the contract.Impact
The impact can be 100% of users' tokens locked in
Lender.sol
being lost permanently, but it requires a malicious/compromised owner, hence Medium severity.Code Snippet
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Lender.sol#L172
Tool used
Manual Review
Recommendation
Add the same delay mechanism that is in
withdraw
to theapprove
methods.