FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: low
Likelihood: low

Pool owner can redirect recovery-path funds by changing recoveryAddress

Author Revealed upon completion

Summary

The pool owner can call setRecoveryAddress() at any time, including after users have deposited funds. This lets the owner
replace the configured recovery destination before a recovery-path settlement.

The updated address receives funds from bad-faith CORRUPTED settlements, expired attacker bounties, and unclaimed bonus
sweeps.

Impact

A malicious or compromised owner can redirect recovery-path funds to an arbitrary address.

Severity: Low, as it requires the trusted pool owner.

POC test

function testOwnerCanRedirectRecoveryFunds() external {
uint256 amount = 100e18;
address maliciousRecovery = makeAddr("maliciousRecovery");

_stake(alice, amount);
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED);
// Owner replaces the advertised recovery destination.
pool.setRecoveryAddress(maliciousRecovery);
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, false, address(0));
pool.claimCorrupted();
assertEq(token.balanceOf(maliciousRecovery), amount);
assertEq(token.balanceOf(recovery), 0);

}

Mitigation

Lock recoveryAddress after the first stake, or require address updates to pass through a timelock.

function setRecoveryAddress(address newRecoveryAddress) external onlyOwner {
if (expiryLocked) revert RecoveryAddressLocked();
if (newRecoveryAddress == address(0)) revert InvalidRecoveryAddress();

recoveryAddress = newRecoveryAddress;

}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!