Mallicious user can execute sellProfits and DOS _staking from swaping his fees
Summary
In Fees.sol everyone can call sellProfit and pass whatever ERC20 he wants, which opens the possibility for various vulnerabilities, for example, denial-of-service.
Vulnerability Details
Vulnerable line:
uint256 amount = IERC20(_profits).balanceOf(address(this));
If the attacker gives his own ERC20 implementation as _profits and inside balanceOf function there is a different implementation than the original one which returns the contract’s current balance, he would be able to freeze the entire protocol and disallow _staking from swapping his real profits for WETH.
Impact
Since everyone can execute sellProfit function, the contract leaves the door open for various malicious actions, such as gas griefing and denial-of-service.
Tools Used
Manual
Recommendations
Add a modifier to restrict normal users from calling this important function or if it's an intended behavior to allow everyone claim fees on behalf of _staking consider adding some type of whitelisted tokens which are managed by the contract owner
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.