Unprotected USDC Recovery Leading to Draining of Staking Rewards
Summary
The StakingRewardsV2 contract contains a critical vulnerability in its recoverERC20 function. While the function is designed to allow the contract owner to recover accidentally sent ERC20 tokens, it fails to protect USDC tokens, which are used as rewards in the staking system. This oversight could potentially allow the owner to drain USDC rewards from the contract, disrupting the reward distribution mechanism and compromising the integrity of the staking protocol.
Vulnerability Detail
The vulnerability is located in the recoverERC20 function of the StakingRewardsV2 contract. This function allows the contract owner to recover any ERC20 token from the contract, with the exception of the KWENTA token (used for staking). However, it fails to implement similar protection for USDC tokens, which are used as rewards in the staking system. The contract defines USDC as an immutable state variable. And uses it for reward calculations and distributions throughout the contract, as evidenced by variables and functions such as rewardRateUSDC, rewardsUSDC, and earnedUSDC.
The lack of protection for USDC in the recoverERC20 function creates a critical security hole. An owner with malicious intent or a compromised owner account could exploit this vulnerability to drain USDC rewards from the contract, severely impacting the protocol's functionality and user trust.
Impact
The potential consequences of this vulnerability are severe:
Draining of Rewards: The contract owner could potentially withdraw all USDC rewards from the contract, leaving stakers unable to claim their earned rewards.
Disruption of Reward Mechanism: By removing USDC from the contract, the entire reward distribution system would be compromised, as there would be insufficient funds to pay out rewards.
Loss of User Funds: Users who have staked their tokens expecting USDC rewards would effectively lose their earned rewards if they were drained from the contract.
Sparkly Grape Fly
Low/Info
Unprotected USDC Recovery Leading to Draining of Staking Rewards
Summary
The StakingRewardsV2 contract contains a critical vulnerability in its
recoverERC20
function. While the function is designed to allow the contract owner to recover accidentally sent ERC20 tokens, it fails to protect USDC tokens, which are used as rewards in the staking system. This oversight could potentially allow the owner to drain USDC rewards from the contract, disrupting the reward distribution mechanism and compromising the integrity of the staking protocol.Vulnerability Detail
The vulnerability is located in the
recoverERC20
function of the StakingRewardsV2 contract. This function allows the contract owner to recover any ERC20 token from the contract, with the exception of the KWENTA token (used for staking). However, it fails to implement similar protection for USDC tokens, which are used as rewards in the staking system. The contract defines USDC as an immutable state variable. And uses it for reward calculations and distributions throughout the contract, as evidenced by variables and functions such asrewardRateUSDC
,rewardsUSDC
, andearnedUSDC
.The lack of protection for USDC in the
recoverERC20
function creates a critical security hole. An owner with malicious intent or a compromised owner account could exploit this vulnerability to drain USDC rewards from the contract, severely impacting the protocol's functionality and user trust.Impact
The potential consequences of this vulnerability are severe:
Code Snippet
https://github.com/sherlock-audit/2024-07-kwenta-staking-contracts/blob/0527fb7425206a3338c23177416436c6286cedf9/token/contracts/StakingRewardsV2.sol#L710-L716
Tool used
Manual Review
Recommendation
Modify the
recoverERC20
function to protect both KWENTA and USDC tokens: