Though setFlywheelRewards has requiresAuth, it still has rug risk that a privileged user can move all rewardToken of flywheelRewards to new (malicious) newFlywheelRewards unconditionally.
A malicious user or a compromised admin can call setFlywheelRewards in flywheel-v2/src/FlywheelCore.sol, which can transfer all rewardToken to newFlywheelRewards directly.
vim, ethers.js
Use timelock on setFlywheelRewards function before transfering all rewardToken to new FlywheelRewards address.
Or separate into two functions with different auth:
The text was updated successfully, but these errors were encountered:
All reactions