Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-04-XTRIBE-FINDINGS-ISSUES-57
HistoryApr 27, 2022 - 12:00 a.m.

setFlywheelRewards can take any rewardToken

2022-04-2700:00:00
Code4rena
github.com
4
JSON

Lines of code

Vulnerability details

Impact

Though setFlywheelRewards has requiresAuth, it still has rug risk that a privileged user can move all rewardToken of flywheelRewards to new (malicious) newFlywheelRewards unconditionally.

Proof of Concept

A malicious user or a compromised admin can call setFlywheelRewards in flywheel-v2/src/FlywheelCore.sol, which can transfer all rewardToken to newFlywheelRewards directly.

Tools Used

vim, ethers.js

Recommended Mitigation Steps

Use timelock on setFlywheelRewards function before transfering all rewardToken to new FlywheelRewards address.

Or separate into two functions with different auth:

  1. Use a function to set new FlywheelRewards (but doesn’t transfer reward), requireAuth A admin role.
  2. Use another function to transfer all rewardToken, requireAuth with B admin role.

The text was updated successfully, but these errors were encountered:

All reactions

JSON