Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

[M] Incorrect access control for `rescueToken` Function in `RToken`

Singularity

Summary

The rescueToken function in the RToken contract is never called in the ReservePool, making it impossible to recover or rescue tokens mistakenly sent to this contract. It is recommended to use the onlyOwner modifier instead. The rescueToken in LendingPool only able to rescue tokens deposited in that contract only.

Vulnerability Details

The current rescueToken function in the RToken contract is:

function rescueToken(address tokenAddress, address recipient, uint256 amount) external onlyReservePool {
if (recipient == address(0)) revert InvalidAddress();
if (tokenAddress == _assetAddress) revert CannotRescueMainAsset();
IERC20(tokenAddress).safeTransfer(recipient, amount);
}

The current rescueToken function in the LendingPool contract is:

function rescueToken(address tokenAddress, address recipient, uint256 amount) external onlyOwner {
if (recipient == address(0)) revert InvalidAddress();
if (tokenAddress == _assetAddress) revert CannotRescueMainAsset();
IERC20(tokenAddress).safeTransfer(recipient, amount);
}

This function is intended to rescue tokens mistakenly sent to the RToken contract. However, it is never called in the ReservePool, making it impossible to recover or rescue tokens.

Links to the issues:

  1. https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/RToken.sol#L337

  2. https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L731

Impact

This issue prevents the recovery or rescue of tokens mistakenly sent to the RToken contract, potentially leading to loss of tokens.

Tools Used

Manual code review.

Recommendations

Update the rescueToken function to use the onlyOwner modifier instead of onlyReservePool. This ensures that the function can be called by the contract owner to recover or rescue tokens.

Corrected rescueToken Function

function rescueToken(address tokenAddress, address recipient, uint256 amount) external onlyOwner {
if (recipient == address(0)) revert InvalidAddress();
if (tokenAddress == _assetAddress) revert CannotRescueMainAsset();
IERC20(tokenAddress).safeTransfer(recipient, amount);
}

This ensures that the rescueToken function can be called by the contract owner to recover or rescue tokens mistakenly sent to the RToken contract.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RToken::rescueToken() can never be called

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!