stake.link
stake.link
DeFiHardhatBridge
27,500 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

If multiple users accidentally send the same token (i.e USDC) to the SDLPoolCCIPController.sol contract, then only one user will take all the tokens and the other users will lose the tokens

0xdemon

Summary

If multiple users mistakenly send the same token (i.e USDC) to the SDLPoolCCIPController.sol contract, then only one user will take all the tokens and the other users will lose the tokens

Vulnerability Details

SDLPoolCCIPController::recoverTokens has a function to return tokens that were sent accidentally from the user to the contract. The code for this function is below :

File : SDLPoolCCIPController.sol
function recoverTokens(address[] calldata _tokens, address _receiver) external onlyOwner {
if (_receiver == address(0)) revert InvalidReceiver();
for (uint256 i = 0; i < _tokens.length; ++i) {
IERC20 tokenToTransfer = IERC20(_tokens[i]);
tokenToTransfer.safeTransfer(_receiver, tokenToTransfer.balanceOf(address(this)));
}
}

The problem is that this function doesn't handle if multiple users accidentally send the same token to this contract. If several users accidentally send the same token, then only one user will get all the balance of these tokens from this contract. This is because this function sends the amount of tokens according to balanceOf(address(this)), so that all the same tokens will be sent to one user only.

Impact

Only one user will take all the tokens and the other users will lose their tokens

Tools Used

Manual review

Recommended Mitigation

Consider doing calculations and storing tokens that are accidentally sent from users in an array and then distributing them properly

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.