Closed sherlock-admin3 closed 1 month ago
The owner is assumed fully trusted and non malicious. From the competition rules: "Even when possible, governance is assumed to not confiscate/manipulate specific user funds/positions without a good reason. This means that reports that claim that governance can take specific users funds are not considered issues."
JuggerNaut63
High
Unauthorized Token Recovery via recoverERC20 Function
Summary
The
recoverERC20
function allows the contract owner to recover any ERC20 token from the contract, except the staking token. While this is useful for recovering mistakenly sent tokens, it can be misused by a malicious to withdraw important tokens, potentially harming the users and the integrity of the contract.Vulnerability Detail
recoverERC20
function.recoverERC20
with the address of a valuable ERC20 token and the amount to transfer.recoverERC20
function executes successfully, transferring the specified ERC20 tokens from the contract to the owner's address.Impact
Code Snippet
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/endgame-toolkit/src/synthetix/StakingRewards.sol#L166-L170
Tool used
Manual Review
Recommendation
recoverERC20
.recoverERC20
function.recoverERC20
functionrecoverERC20
function calls.PoC
forge test --match-path test/ExploitTest.sol [⠒] Compiling... [⠊] Compiling 1 files with Solc 0.8.25 [⠒] Solc 0.8.25 finished in 1.85s Compiler run successful!
Ran 1 test for test/ExploitTest.sol:ExploitTest [PASS] testExploit() (gas: 71295) Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 22.75ms (8.98ms CPU time)
Ran 1 test suite in 23.81ms (22.75ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)