Lines of code

Vulnerability details

Impact

Funds get locked in contract resulting to Loss of asset control, funds and increased costs to recover fund

Proof of Concept

Reviewing the list of external and public functions, there is no withdraw() or reclaim() function:
2. Scanning the contract code, there are no internal or private functions for withdrawals either.
3. The _rescueFunds() function can only be called by the Comptroller admin, not the MultiRewardDistributor admin.

There are no modifiers like onlyAdmin that restrict access to a withdrawal function.
So in summary, the lack of any external withdrawal capability indicates there is no way to reclaim funds from this contract currently.

withdrawing excess tokens could be useful for the following reasons

• If configured emission speeds are too high, excess tokens build up in the contract. The admin may want to reclaim these.
• If reward emission is turned off, leftover tokens remain locked in the contract. There is no way to get these out.
• When upgrading the reward distributor to a new contract, excess tokens in the old contract remain locked. There is no way to migrate them.
• If the emission token is upgraded/swapped, the old tokens remain stuck in the contract.

Tools Used

Manual

Recommended Mitigation Steps

• Add a _reclaimExcessTokens function that allows a config owner to withdraw their excess rewards that have accrued.
• Allow the _rescueFunds function to specify the beneficiary, rather than always being the Comptroller admin.
• Automatically sweep excess rewards to config owners on a regular basis.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions