Formal Charcoal Boa - In the `incase_token_got_stuck::incase_token_got_stuck_handler()` function, there is no limit on the amount of tokens that the pool owner can sweep from the pool, allowing them to even sweep any `unclaimed_fee` accrued in the pool

[sherlock-admin4]

Formal Charcoal Boa

High

In the incase_token_got_stuck::incase_token_got_stuck_handler() function, there is no limit on the amount of tokens that the pool owner can sweep from the pool, allowing them to even sweep any unclaimed_fee accrued in the pool

Summary

The incase_token_got_stuck_handler() function allows the pool owner to sweep stuck tokens from the pool. However, the function lacks a limit on the sweep amount, enabling the pool owner to also sweep any unclaimed_fee.

Root Cause

In the incase_token_got_stuck_handler() function, there are no limitations on the amount that can be swept.

This allows the pool owner to sweep any quantity of tokens from the pool, including any unclaimed_fee accrued in the pool.

pub fn incase_token_got_stuck_handler(
    ctx: Context<IncaseTokenGotStuck>,
    amount: u128,
) -> Result<()> {
    let to_token_account = &ctx.accounts.to_token_account;
    let token_vault = &ctx.accounts.token_vault;
    let woopool = &mut ctx.accounts.woopool;

    transfer_from_vault_to_owner(
        woopool,
        token_vault,
        to_token_account,
        &ctx.accounts.token_program,
        amount as u64,
    )?;

    Ok(())
}

Internal pre-conditions

External pre-conditions

Attack Path

1. Alice, a malicious user, creates pools.
2. Users swap tokens through Alice's pools, accumulating fees in her quote pool.
3. Alice then claims all accrued fees by calling the incase_token_got_stuck_handler() function, leaving no protocol fee.

Impact

Pool owners can also sweep any unclaimed_fee that has accrued in the pool.

PoC

Mitigation

It is recommended to enable the incase_token_got_stuck_handler() function only in emergencies.