function recoverERC20(address token_, uint256 amount) external {
if (amount > 0) {
IERC20(token_).safeTransfer(owner(), amount);
emit ERC20Recovered(token_, amount);
}
}
An attacker could initiate a transaction and repeatedly execute it in a loop, also leading to the mass generation of ERC20Recovered events. If the backend processes these events and performs resource-intensive operations, there is a risk of system overload and temporary service disruption.
Invalid, this is a non-issue, given any stuck funds in factory contract will be returned to owner as intended. Additionally, the vesting factory contract is not intended to hold funds in the first place.
millietez
medium
token regeneration leading to system overload
Summary
Sending a transaction through the function VestingEscrowFactory.sol#recoverERC20, which can be repeated in a loop.
Vulnerability Detail
VestingEscrowFactory.sol#L80-L85
An attacker could initiate a transaction and repeatedly execute it in a loop, also leading to the mass generation of
ERC20Recovered
events. If the backend processes these events and performs resource-intensive operations, there is a risk of system overload and temporary service disruption.Impact
System overload and temporary service disruption.
Code Snippet
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/2d14c2b84b69c53a45c81aa4f907af9617f9a94f/rio-vesting-escrow/src/VestingEscrowFactory.sol#L80-L85
Tool used
Manual Review
Recommendation
Limit the amount of recoverable tokens within a specific time frame or for any number of transactions.