Code4renaCODE423N4:2022-10-PALADIN-FINDINGS-ISSUES-249Malicious owner can steal reward tokens
Vulnerability details
The recoverERC20 function allows the contract owner to transfer arbitrary ERC20 tokens owned by the WardenPledge contract in order to recover tokens sent by mistake to the contract. In order to protect against withdrawal of deposited reward tokens, it includes a check that the withdrawn token is not currently an approved rewards token:
/**
* @notice Recovers ERC2O tokens sent by mistake to the contract
* @dev Recovers ERC2O tokens sent by mistake to the contract
* @param token Address tof the EC2O token
* @return bool: success
*/
function recoverERC20(address token) external onlyOwner returns (bool) {
if (minAmountRewardToken[token] != 0) revert Errors.CannotRecoverToken();
uint256 amount = IERC20(token).balanceOf(address(this));
if (amount == 0) revert Errors.NullValue();
IERC20(token).safeTransfer(owner(), amount);
return true;
}
However, the contract owner also has the ability to remove rewards tokens, and can easily bypass the check in recoverERC20 by first calling removeRewardToken to set minAmountRewardToken[token] to zero, then calling recoverERC20:
function removeRewardToken(address token) external onlyOwner {
if (token == address(0)) revert Errors.ZeroAddress();
if (minAmountRewardToken[token] == 0) revert Errors.NotAllowedToken();
minAmountRewardToken[token] = 0;
emit RemoveRewardToken(token);
}
Impact: A malicious owner can steal all deposited rewards tokens.
Recommendation: Disallow removing rewards tokens associated with active pledges. This will probably require tracking this information in a separately stored data structure.
The text was updated successfully, but these errors were encountered:
All reactions