Submission Details
Severity:
Trapped Tokens Due to Unused RToken Rescue Function
Summary
RToken has a rescueToken function to recover trapped tokens, but it's never called by LendingPool or ReservePool, permanently trapping any tokens accidentally sent.
Vulnerability Details
// RToken.sol
function rescueToken(address tokenAddress, address recipient, uint256 amount) external onlyReservePool {
if (recipient == address(0)) revert InvalidAddress();
if (tokenAddress == _assetAddress) revert CannotRescueMainAsset();
IERC20(tokenAddress).safeTransfer(recipient, amount);
}
// LendingPool.sol and ReservePool.sol
// No implementation of token rescue functionality exists
User accidentally sends USDT to RToken
No rescue mechanism exists in LendingPool/ReservePool
USDT is permanently trapped
Impact
There is a function to rescueToken in RToken that will never work as it's never called in Lending/Reserve Pool
Tools Used
Manual
Recommendations
Implement a rescue function into LendingPool
function rescueTokenFromRToken(
address token,
address recipient,
uint256 amount
) external onlyOwner {
IRToken(rToken).rescueToken(token, recipient, amount);
emit TokenRescued(token, recipient, amount);
}
Updates
Lead Judging Commences
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
RToken::rescueToken() can never be called
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.