search

sherlock-audit / 2023-02-gmx-judging

17 stars 11 forks source link

tsvetanovv - Malicious or hacked admin can steal tokens #213

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

tsvetanovv

medium

Malicious or hacked admin can steal tokens

Summary

In Bank.sol we have transferOut() This function is external and can be call only by onlyController. It is possible malicious or hacked owner to steal tokens.

function transferOut( 
        address token,
        address receiver,
        uint256 amount
    ) external onlyController {
        _transferOut(token, receiver, amount);
    }

Vulnerability Detail

As can be seen from the code snippet , nothing can stop malicious or hacked admin to steal tokens. He can use address receiver and send tokens for yourself.

Impact

Malicious or hacked admin can steal tokens.

Code Snippet

https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/bank/Bank.sol#L88-L100

function transferOut( 
        address token,
        address receiver,
        uint256 amount
    ) external onlyController {
        _transferOut(token, receiver, amount);
    }

Tool used

Manual Review

Recommendation

For more certain it is good to add timelock mechanism.