Tokens with airdrops, will have their airdrop lost
Summary
If the reward token has an airdrop which is not on the whitelist, the airdropped token will be stuck in the contract forever.
Vulnerability Details
From reading the nat spec and read.me files, we know that if the protocol is sent a token which is not on the whitelist, that token will forever be lost.
There is a way to rescue the token stuck in the proxy contract after the deployment and distribution of prizes only when the token is whitelisted. If the token is not whitelisted, and then if someone sent the token by mistake, the token will be stuck there forever.
The readme also states that the most common tokens will be on the whitelists. COMP is definitely one of those tokens that will be on whitelisted due to its popularity and market cap.
The problem arises when the airdrop token is not on the whitelist. If the airdropped token is not on whitelist, like the readme explains, it will be forever stuck unable to be recovered
Impact
Tokens will be stuck in the contract forever, this is a loss of funds for user or the protocol itself
Tools Used
manual review
Recommendations
Since owner is trusted, add a function which can rescue stuck funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.