Inaccessible rescue operation in RToken contract leads to permanent fund loss
Summary
The RToken::rescueToken function, which is restricted by the onlyReservePool modifier, is never invoked within the LendingPool contract. Based on the protocol’s testing suite, the reserve pool is expected to be assigned to the LendingPool, but since no call to RToken::rescueToken exists in LendingPool, the function remains inaccessible, preventing token rescue operations.
Vulnerability Details
Problem description
The RToken::setReservePool function is used to configure the reserve pool, and the onlyReservePool modifier enforces access control for certain privileged functions. However, since LendingPool—which is designated as the reserve pool—never calls rescueToken, the function cannot be utilized for its intended purpose.
Affected Code in RToken
Steps to reproduce
Configure the reserve pool using
RToken::setReservePool, assigning it toLendingPool.Attempt to call
rescueTokenfrom an external account; it will revert due to theonlyReservePoolmodifier.Check the
LendingPoolcontract and confirm thatrescueTokenis never invoked, rendering it inaccessible.
Impact
Loss of fund recovery functionality: Tokens mistakenly sent to
RTokencannot be recovered.Unusable function:
rescueTokenis effectively dead code due to lack of invocation.Operational inefficiency: The protocol lacks a viable mechanism to recover assets trapped in the contract.
Tools Used
Manual Review
Recommendations
Modify LendingPool to include a function that calls RToken::rescueToken, or provide an alternative mechanism for administrative token recovery. If it is unnecessary, it could be removed from the codebase.
Lead Judging Commences
RToken::rescueToken() can never be called
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.