Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-10-PALADIN-FINDINGS-ISSUES-219
HistoryOct 30, 2022 - 12:00 a.m.

[M1] Owner can steal any createdPledge's tokens

2022-10-3000:00:00
Code4rena
github.com
5
malicious activity
token theft
contract vulnerability
protocol security
admin control
JSON

Lines of code
<https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L585-L592&gt;

Vulnerability details

Impact

Malicious owner can steal any created pledge even to drain the whole contract

Proof of Concept

Functions like recoverERC20 are good to recover tokens accidentally transferred to a contract.

The common approach for these function is to exclude real tokens handled by the protocol otherwise admin can just rug pull the contract.

In your case, as admin can add/remove reward tokens with the funcion removeRewardToken, he can call
this function first to bypass the require statement in recoverERC20

function stealToken(address tokenToSteal){
    removeRewardToken(tokenToSteal);
    recoverERC20(tokenToSteal);
}

Recommended

One way to solve this is to keep a balance of every token and let owner to transfer the difference (if it exists), though this solution will cost some gas.

The text was updated successfully, but these errors were encountered:

All reactions

JSON