stake.link
stake.link
DeFiHardhatBridge
27,500 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Malicious admin can steal users rewards using recoverTokens function

0xswahili

Summary

Either by mistake or malicious action, admin can rug stakers by sending out reward tokens via recoverTokens function

Vulnerability Details

The recoverTokens function is designed to be used by admin to recover tokens accidentally sent to the contract.

function recoverTokens(address[] calldata _tokens, address _receiver) external onlyOwner {
if (_receiver == address(0)) revert InvalidReceiver();
for (uint256 i = 0; i < _tokens.length; ++i) {
IERC20 tokenToTransfer = IERC20(_tokens[i]);
tokenToTransfer.safeTransfer(_receiver, tokenToTransfer.balanceOf(address(this)));
}
}

While the admin account is trusted, this setup does not inspire confidence in customers, especially those who have been rugged in other protocols. No caution is in place to remove chance of loss of stakers.

Impact

  1. Protocol customers are likely to view the project with suspicion in terms of asset safety.

Tools Used

Manual review

Recommendations

Ensure that the tokens to sent out are not among the reward tokens.

function recoverTokens(address[] calldata _tokens, address _receiver) external onlyOwner {
if (_receiver == address(0)) revert InvalidReceiver();
address[] memory tokens = ISDLPoolPrimary(sdlPool).supportedTokens();
for (uint256 i = 0; i < _tokens.length; ++i) {
IERC20 tokenToTransfer = IERC20(_tokens[i]);
for (uint256 x = 0; x < tokens.length; ++x)
if(tokens[x] == _tokens[i])
revert RewardTokenNotAuthorized();
tokenToTransfer.safeTransfer(_receiver, tokenToTransfer.balanceOf(address(this)));
}
}
Updates

Lead Judging Commences

0kage Lead Judge
over 1 year ago
0kage Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

recover-check

Disallow recovery of sdl tokens

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.