Submission Details
Impact:
Likelihood:
Centralization Risks - Owner Can Drain All Funds
Description
The contract owner has unlimited, immediate withdrawal capabilities without any safeguards, creating extreme centralization risks that could lead to complete fund loss if the owner is compromised or acts maliciously.
function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {
IERC20(token).transfer(to, amount); // No limits or timelock
}
Risk
Impact:
-
Immediate fund drainage by owner
-
No protection against malicious or compromised owner
-
Users cannot trust funds stored in the contract
Proof of Concept
Add the following to `RebateFiHookTest.t.sol`
function test_OwnerCanDrainAllFunds() public {
uint256 hookBalance = 500 ether;
reFiToken.mint(address(rebateHook), hookBalance);
uint256 initialBalance = reFiToken.balanceOf(address(this));
rebateHook.withdrawTokens(address(reFiToken), address(this), hookBalance);
uint256 finalBalance = reFiToken.balanceOf(address(this));
assertEq(finalBalance, initialBalance + hookBalance);
assertEq(reFiToken.balanceOf(address(rebateHook)), 0); // All funds drained
}
Recommended Mitigation
Implement timelock for withdrawals
Add maximum withdrawal limits
Consider multi-signature requirements for large withdrawals
Implement emergency withdrawal patterns with delays
Rewards breakdown
nSLOC
150This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.