Submission Details
Impact:
Likelihood:
OnlyOwner can Get missing fund even non owner missing and send to the contract
Author Revealed upon completion
Root + Impact
Description
if non user mistaken and send for to the contract he cant withdraw it due it function ristricted to only owner
function recoverTokens(address _token, uint256 _amount) external onlyOwner {
IERC20(_token).transfer(owner, _amount);
}
Risk
Likelihood:
user may loose his fund for ever
Proof of Concept
add this to contract
function test_onlyOwnerCanGetLooseFund() public {
vm.startPrank(address(0x123));
vm.expectRevert(); // it will revert due to address(0x123) is not owner
stratax.recoverTokens(USDC, 10);
vm.stopPrank();
}
Recommended Mitigation
edit the funtion token to go to the sender, when sender accendtly send token should hurry and click it
- function recoverTokens(address _token, uint256 _amount) external onlyOwner {
- IERC20(_token).transfer(owner, _amount);
}
+ function recoverTokens(address _token, uint256 _amount) external {
+ IERC20(_token).transfer(msg.sender, _amount);
}
Rewards breakdown
nSLOC
356This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.