Closed sherlock-admin closed 9 months ago
I'd consider updating to owner
or manager
, but consider this low-risk.
2 comment(s) were left on this issue during the judging contest.
anticl0ck commented:
Invalid
crc32 commented:
invalid, this is intented design
AlexCzm
medium
Recoverable funds functions send the value to
recipient
Summary
VestingEscrow.recoverERC20
andVestingEscrow.recoverEther
send the funds torecipient
address instead of factory owner which is trusted.Vulnerability Detail
recoverEther
andrecoverERC20
allow anyone to recover any stucked funds and their transfer torecipient
address. But recipient is not trusted and he can refuse forward the funds to their rightful owner.Impact
Any funds sent by mistake to
escrow
contracts, can be lost.Code Snippet
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/2d14c2b84b69c53a45c81aa4f907af9617f9a94f/rio-vesting-escrow/src/VestingEscrow.sol#L209
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/2d14c2b84b69c53a45c81aa4f907af9617f9a94f/rio-vesting-escrow/src/VestingEscrow.sol#L218
Tool used
Manual Review
Recommendation
Recover funds to factory owner or factory manager. These are considered trusted entities and should forward recovered funds to their rightful owner.
Duplicate of #81