Submission Details
Impact:
Likelihood:
OnlyOwner can Get missing fund even non owner missing and send to the contract
Root + Impact
Description
if non user mistaken and send for to the contract he cant withdraw it due it function ristricted to only owner
function recoverTokens(address _token, uint256 _amount) external onlyOwner {
IERC20(_token).transfer(owner, _amount);
}
Risk
Likelihood:
user may loose his fund for ever
Proof of Concept
add this to contract
function test_onlyOwnerCanGetLooseFund() public {
vm.startPrank(address(0x123));
vm.expectRevert(); // it will revert due to address(0x123) is not owner
stratax.recoverTokens(USDC, 10);
vm.stopPrank();
}
Recommended Mitigation
edit the funtion token to go to the sender, when sender accendtly send token should hurry and click it
- function recoverTokens(address _token, uint256 _amount) external onlyOwner {
- IERC20(_token).transfer(owner, _amount);
}
+ function recoverTokens(address _token, uint256 _amount) external {
+ IERC20(_token).transfer(msg.sender, _amount);
}
Rewards breakdown
nSLOC
356This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.