Lines of code
<https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L585>
WardenPledge contract has a sweeping function (recoverERC20) to handle mistakenly sent ERC20 tokens:
function recoverERC20(address token) external onlyOwner returns(bool) {
if(minAmountRewardToken[token] != 0) revert Errors.CannotRecoverToken();
uint256 amount = IERC20(token).balanceOf(address(this));
if(amount == 0) revert Errors.NullValue();
IERC20(token).safeTransfer(owner(), amount);
return true;
}
The code will not allow registered reward tokens to be transfered due to the rugging potential. It checks if minAmountRewardToken[token] != 0, which is True for registered tokens.
However, owner can easily bypass this check using removeRewardToken function:
function removeRewardToken(address token) external onlyOwner {
if(token == address(0)) revert Errors.ZeroAddress();
if(minAmountRewardToken[token] == 0) revert Errors.NotAllowedToken();
minAmountRewardToken[token] = 0;
emit RemoveRewardToken(token);
}
This function sets any minAmountRewardToken[token] that is not 0, to 0.
Therefore, owner can instantly call:
Itβs very important to not allow owner such dangerous operation because:
Owner can steal all ERC20 tokens including rewards, of the contract.
Manual audit
This threat can be fully mitigated using these steps:
This solution will limit only reward tokens from being claimed by the owner, which is the desired behavior.
The text was updated successfully, but these errors were encountered:
All reactions