Lines of code
<https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L585-L592>
Malicious owner can steal any created pledge even to drain the whole contract
Functions like recoverERC20 are good to recover tokens accidentally transferred to a contract.
The common approach for these function is to exclude real tokens handled by the protocol otherwise admin can just rug pull the contract.
In your case, as admin can add/remove reward tokens with the funcion removeRewardToken, he can call
this function first to bypass the require statement in recoverERC20
function stealToken(address tokenToSteal){
removeRewardToken(tokenToSteal);
recoverERC20(tokenToSteal);
}
One way to solve this is to keep a balance of every token and let owner to transfer the difference (if it exists), though this solution will cost some gas.
The text was updated successfully, but these errors were encountered:
All reactions