Closed sherlock-admin2 closed 9 months ago
Invalid, admins are trusted entities trusted to not be malicious. See point 5. of sherlock rules. Additionally, the factory contract is purely used for deployment of escrow contracts only
1 comment(s) were left on this issue during the judging contest.
pratraut commented:
'invalid due to owner being TRUSTED entity'
OrderSol
high
Owner has excessive access to user funds
Summary
As user must approve
VestingEscrowFactory
for token,owner
can get access to any funds thus approved.Vulnerability Detail
Steps: 1) user approves
VestingEscrowFactory
for X tokens, where X often is uint256.max due to convenince or UX. 2) owner then can frontrun user withrecoverERC20
before user callsdeployVestingContract
, or maliciously or erroneously move funds after.Impact
HIGH - user funds at risk.
Code Snippet
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrowFactory.sol#L80
Tool used
Manual Review
Recommendation
Make
recoverERC20
allow to move funds only iftoken_
!= token (not the token set up in constructor)