Submission Details
Severity:
RToken::rescueToken() can never be called
Description
Inside RToken.sol, the emergency function rescueToken() has a onlyReservePool modifier which restricts its call to be made only by the LendingPool contract and no one else.
File: contracts/core/tokens/RToken.sol
337:@---> function rescueToken(address tokenAddress, address recipient, uint256 amount) external onlyReservePool {
338: if (recipient == address(0)) revert InvalidAddress();
339: if (tokenAddress == _assetAddress) revert CannotRescueMainAsset();
340: IERC20(tokenAddress).safeTransfer(recipient, amount);
341: }
However there is no function inside LendingPool.sol that calls the aforementioned function. There is one there named rescueToken() but that rescues funds from the LendingPool contract, not the RToken one.
Impact
The functionality which RToken::rescueToken() aims to provide can never be used. Any stuck funds can never be rescued.
Mitigation
Add a function inside LendingPool.sol which looks like this:
function rescueTokenFromRTokenContract(address tokenAddress, address recipient, uint256 amount) external onlyOwner {
require(amount > 0);
IRToken(reserve.reserveRTokenAddress).rescueToken(tokenAddress, recipient, amount);
}
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
RToken::rescueToken() can never be called
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.