Submission Details
Severity:
Tokens cannot be rescued from RToken contract
Vulnerability Details
The RToken contract has a function called rescueTokenwhich allows the reserve pool to rescue tokens. Problem is that the pool does not implement this function.
// RToken.sol
function rescueToken(address tokenAddress, address recipient, uint256 amount) external onlyReservePool {
if (recipient == address(0)) revert InvalidAddress();
if (tokenAddress == _assetAddress) revert CannotRescueMainAsset();
IERC20(tokenAddress).safeTransfer(recipient, amount);
}
Notice the LendingPool has a function to rescue tokens, but this is to rescue tokens from the LendingPool, not the RToken contract.
// LendingPool.sol
function rescueToken(address tokenAddress, address recipient, uint256 amount) external onlyOwner {
require(tokenAddress != reserve.reserveRTokenAddress, "Cannot rescue RToken");
IERC20(tokenAddress).safeTransfer(recipient, amount);
}
Impact
Tokens sent to the
RTokencontract will be permanently lost since they cannot be recovered.
Tools Used
Manual Review
Recommendations
Implement a restricted function in LendingPool to call the RToken.rescueToken.
Updates
Lead Judging Commences
inallhonesty 5 months ago
Submission Judgement Published Assigned finding tags:
RToken::rescueToken() can never be called
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.