Submission Details
Severity:
Rewards receiver can't be updated by the owner, if it gets compromised funds can be stolen
Vulnerability Details
In the OperatorVault, the rewards receiver plays a crutial role as it's the only allowed entity to withdraw rewards from the vault
function withdrawRewards() external onlyRewardsReceiver {
_withdrawRewards();
}
function _withdrawRewards() private {
...
if (balance != 0) {
@> token.safeTransfer(rewardsReceiver, balance);
}
...
}
As can be seen rewards are transfered directly to the receiver, however if this account gets compromised, by current logic there is no way the owner to change the address as it allows only the current receiver to do it. The owner can update only if the receiver is not set yet. This missing functionality can result in funds being stolen from the vault.
function setRewardsReceiver(address _rewardsReceiver) public {
if (rewardsReceiver != address(0) && msg.sender != rewardsReceiver)
revert OnlyRewardsReceiver();
if (rewardsReceiver == address(0) && msg.sender != owner()) revert OnlyRewardsReceiver();
if (_rewardsReceiver == address(0)) revert ZeroAddress();
rewardsReceiver = _rewardsReceiver;
emit SetRewardsReceiver(_rewardsReceiver);
}
Tools Used
Manual Review
Recommendations
Allow only the owner to be able to update the receiver address
Updates
Prize pool breakdown
Total prize
50,000 USDC
nSLOC
2,53020 USDC / LOC
42,000 USDC
4,250 USDC
3,750 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.