Closed sherlock-admin closed 9 months ago
Invalid, the target contract is votingAdaptor, which does not have a withdrawing function exposed, so this is not possible.
2 comment(s) were left on this issue during the judging contest.
_rahul commented:
POC required for the issue to be considered valid.
pratraut commented:
'invalid as delegate call is not executing arbitrary call based on param passed'
kgothatso
high
VestingEscrow :: delegate
cause withdraw to a delegated function and loss all fundsSummary
the delegate call can call a contract that has a withdraw function. the delegate call can call a contract that has an approve function that can make you lock the funds.
Vulnerability Detail
external delegated withdraw
Impact
funds can be withdrawn from a contract executing the delegate call from the proxy contract
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L268
Code Snippet
Tool used
Manual Review
Recommendation
check address contract before proxy contract points it