StakingPool#strategyWithdraw() Allows Admins to Rug Users
Summary
The StakingPool#strategyWithdraw() function allows the contract owner to withdraw asset tokens from a specified strategy. This functionality poses a significant centralization risk. The current implementation grants the admin access to user funds, which could lead to severe implications, including a potential rug pull.
Vulnerability Details
The function is meant to facilitate the withdrawal of tokens from a strategy by the admin and it is implemented as follows:
While the owner is expected to be a 5/7 multisig, there is no guarantee that this will be the case. Protocol simply can deploy this contract with an EOA. What we for sure know is how the function is implemented and that it grants to the deployer of this contract a full access to all strategies and all the user funds in them. The risk of this is that this can lead to significant financial losses for users and they lose their investments suddenly.
Impact
Huge centralization risk which can result in:
Significant Financial Loss: Users' funds could be withdrawn without consent, leading to a total loss of assets.
Tools Used
Manual code review
Recommendations
The design should be fundamentally changed to prevent admins from executing such impactful actions. I recommend completely removing this function and implementing a new mechanism that allows users to withdraw their funds directly from strategies if needed, coupled with an off-chain system that for example would allow users to grant approvals to admins for such actions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.