`rescue(...)` in `CapitalPool.sol` Contract introduces a rug-pull vector
Summary
The rescue(...) function in the CapitalPool.sol contract allows the owner to withdraw any token from the contract and transfer it to any address without restrictions. This poses a substantial security risk as it can be exploited if the owner's private key is compromised or if the owner acts maliciously. Such exploitation could lead to the theft of all contract funds, causing significant financial loss to users.
Vulnerability Details
The CapitalPool.sol contract inherits the Rescuable.sol contract, which includes the rescue(...) function. This function permits the owner to withdraw any token and transfer it to any address without limitations. This creates a vulnerability where, if the contract owner is malicious or if the owner's private key is compromised, all funds held by the contract could be stolen.
Impact
Exploitation of the rescue(...) function, either through malicious action by the owner or due to a compromised wallet, could result in the total loss of all funds within the contract, causing users to lose their assets.
Tools Used
Manual code review
Recommendations
Assuming that this function is necessary for situation to resuce funds in case of emergency, it is recommended to:
Implement a multi-signature mechanism to control the withdrawal of funds.
token sent, amount and destination address should be verified against
userTokenBalanceMapto ensure that there's no violation of user's funds.consider pausing the contract in case of emergency and then withdraw funds.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.