Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-10-PALADIN-FINDINGS-ISSUES-233
HistoryOct 30, 2022 - 12:00 a.m.

Excessive owner privilege - can freeze pledge creator's funds after pledging period completed.

2022-10-3000:00:00
Code4rena
github.com
5
owner privilege
freeze funds
pledge creator
vulnerability
centralization risk
JSON

Lines of code

Vulnerability details

Description

The retrievePledgeRewards() function is used by pledge creator, only after pledge endTimestamp has passed. It will collect for the creator all unused reward tokens.
Since it can only operate after endTimestamp, the pledge has for all intents and purposes finished, and no pledging API except retrievePledgeRewards can work.

There is therefore no justification for this function to be gated behind the whenNotPaused modifier. It creates a needless centralization risk of freeze of funds, when those funds belong to the creator at this stage.

Impact

Owner can freeze pledge creator’s funds after pledging period completed.

Tools Used

Manual audit

Recommended Mitigation Steps

Remove the whenNotPaused modifier from retrievePledgeRewards

Note that this submission is similar in spirit to VTVL finding 475, in that owner is able to freeze / delete funds after maturity period.

The text was updated successfully, but these errors were encountered:

All reactions

JSON