Unused `RToken.rescueToken()` Function Due to Missing Implementation in Reserve Pool Contract
Summary
The rescueToken() function in the RToken contract is currently unused because there is no implemented function in the Reserve Pool contract that calls it. As a result, its intended functionality cannot be executed.
Vulnerability Detail
The rescueToken() function is designed to allow the Reserve Pool to rescue mistakenly sent tokens, excluding the main asset. However, a review of the Reserve Pool contract reveals that there is no function that invokes rescueToken(). This makes the function effectively useless, as it cannot be triggered in the deployed contract system.
Since onlyReservePool restricts access to this function, and no function within the Reserve Pool contract invokes it, there is no way to execute this function in practice.
Impact
Due to the absence of an implementation in the Reserve Pool contract, the rescueToken() function cannot be executed as intended. As a result, tokens mistakenly sent to the contract cannot be recovered, potentially leading to permanent loss of funds.
Tool Used
Manual Review
Recommendation
Implement a function in the
Reserve Poolcontract that properly invokesrescueToken().Or allow contract owner to rescue tokens.
Lead Judging Commences
RToken::rescueToken() can never be called
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.