search

sherlock-audit / 2024-01-rio-vesting-escrow-judging

3 stars 2 forks source link

kgothatso - `VestingEscrow :: delegate ` cause withdraw to a delegated function and loss all funds #108

Closed sherlock-admin closed 9 months ago

sherlock-admin commented 9 months ago

kgothatso

high

VestingEscrow :: delegate cause withdraw to a delegated function and loss all funds

Summary

the delegate call can call a contract that has a withdraw function. the delegate call can call a contract that has an approve function that can make you lock the funds.

Vulnerability Detail

external delegated withdraw

Impact

funds can be withdrawn from a contract executing the delegate call from the proxy contract

https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L268

Code Snippet

     function _delegate(bytes calldata params) internal whenVotingAdaptorIsSet returns (bytes memory) {
        return _votingAdaptor().functionDelegateCall(abi.encodeCall(IVotingAdaptor.delegate, params));
    }

Tool used

Manual Review

Recommendation

check address contract before proxy contract points it

nevillehuang commented 9 months ago

Invalid, the target contract is votingAdaptor, which does not have a withdrawing function exposed, so this is not possible.

sherlock-admin2 commented 9 months ago

2 comment(s) were left on this issue during the judging contest.

_rahul commented:

POC required for the issue to be considered valid.

pratraut commented:

'invalid as delegate call is not executing arbitrary call based on param passed'