Closed sherlock-admin2 closed 9 months ago
4 comment(s) were left on this issue during the judging contest.
_rahul commented:
Invalid: Non standard / weird-tokens are not considered valid by default unless these tokens are explicitly mentioned in the README.
Shaheen commented:
Valid Medium, nice finding
0xLogos commented:
technically valid medium according to contest readme, but imho it's too much unrealistic for someone to vest synthetix's tokens
pratraut commented:
'valid as token with two addresses can steal tokens from escrow contract'
Breeje
medium
Recipient can
claim
all vested token instantly if token used is Proxied TokenSummary
Certain tokens like
SNX
,sETH
, andsBTC
have multiple entry points due to their proxy contract structure. TherecoverERC20
function in theVestingEscrow
contract does not appropriately handle scenarios involving Proxied Tokens, allowing arecipient
to instantlyclaim
all vested tokens without adhering to the vesting period.Vulnerability Detail
Background:
As per Readme:
As it is
explicitly mentioned
that all types of ERC20 tokens are in scope except those with transfer fees or rebasing mechanisms, Reporting this one.Some ERC20 tokens use a proxy contract, resulting in at least two entry points (proxy and implementation) for their functionality.
Such token type is listed here in Famous Weird Token Repo.
An example is Synthetix’s
ProxyERC20
token contract, including tokens likeSNX
,sUSD
, andsBTC
. These tokens can be interacted through multiple entry points.Resource: Synthetix ProxyERC20 Docs
Have a look at how
ProxyERC20
is implemented:Link to Code
As you can see, this proxy contract (
ProxyERC20
) utilizes atarget
where the main implementation resides. In the target, validation is implemented to ensure that the call originates either from theProxy
or the direct implementation, providing flexibility for user interactions with anyone.Just to illustrate, here are some examples of tokens which can be affected by this vulnerability shown next:
SNX
Token: Link | Current Market Cap: 1.2 Billion $sUSD
Token: Link | Current Market Cap: 56 Million $sETH
Token: Link | Current Market Cap: 38 Million $sBTC
Token: Link | Current Market Cap: 13 Million $Market Cap Data Source: Etherscan
Issue
The
VestingEscrow
contract is designed to hold tokens until the vesting period elapses, allowing users to claim unvested tokens over time.However, the
recoverERC20
function, intended to transfer an entire amount iftoken_
is not equal totoken()
, fails to account for Proxied Tokens.Link to Code
In the case of using Proxied Tokens, the
recoverERC20
function acts as a backdoor for therecipient
to instantlyclaim
all tokens by utilizing the token address of the proxy contract. The crucialtoken_ == address(token())
check is bypassed in such scenarios, enabling the user to successfully claim the entire vested amount without waiting for the intended vesting period.Impact
Recipients can exploit the vulnerability to claim tokens instantly, bypassing the vesting period.
Code Snippet
Shown Above.
Tool used
Manual Review
Recommendation
To address this vulnerability, a require check should be added at the end in
recoverERC20
function:Duplicate of #62