Single Point of Failure: _getWToken Usage
Summary
The contract heavily depends _getWToken() to map collateral tokens to wrapped tokens(wTokens). If this mapping is accidentally or maliciously modified ( e.g., unset or changed), the contract's core logic will fail, potentially causing user funds to become irretrievable
Vulnerability Details
The contract relies on getWToken to retrieve the corresponding wToken for a collateralToken. If _collateralTokenToWToken mapping is manipulated (e.g., unset or changed), the entire contract's logic could fail or lead to fund loss
Exploitation:
-
Setup
. Register wToken for a collateralToken
. Deposit and receive wToken
-
Exploits
. The contract owner( or a compromised function) updates __collateralTokenToWToken[ __collateralToken ] = address (0)
.Now any function relying on _getWToken() will break, failing to process redemptions
-
Code locations of Concern
Impact
. If the _wTokenToCollateralToken mapping is incorrect, funds could be trapped or misallocated.
. If a wToken's minting or burning mechanism fails, the contract may not function as intended.
. If collateralTokenToToken [ _collateralToken ] is misconfigured, redemptions will not work properly.
Tools Used
Manual review
Recommendations
Fix
function safeGetWToken(address collateralToken) internal view returns (address) { address wToken = collateralTokenToToken[ collateralToken];
If (wToken == address (0) ) {
revert CollateralTokenNotRegistered();
}
return wToken;
}
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.