The owner of the WardenPledge.sol smart contract can steal all the reward tokens from the contract and break the internal accounting. With the recoverERC20 function, the owner can transfer to him/herself the whole balance of the token.
The check at L654 (if(minAmountRewardToken[token] != 0) revert Errors.CannotRecoverToken();) can be bypassed by first calling the removeRewardToken function and setting the if(minAmountRewardToken[token] to zero.
This will also break the internal accounting, as multiple functions of the smart contract, like closePledge and retrievePledgeRewards will break.
function recoverERC20(address token) external onlyOwner returns(bool) {
if(minAmountRewardToken[token] != 0) revert Errors.CannotRecoverToken();
uint256 amount = IERC20(token).balanceOf(address(this));
if(amount == 0) revert Errors.NullValue();
IERC20(token).safeTransfer(owner(), amount);
return true;
}
Manual code review
It is recommended to delete the removeRewardToken function or to create a mapping that tracks the balance of the reward token that is transferred to the smart contract, and then let the owner to only call the recoverERC20 function with the difference amount: uint256 amount = IERC20(token).balanceOf(address(this)) - amountOfToken[token];
The text was updated successfully, but these errors were encountered:
All reactions