Normal Behavior:
The ConfidencePool contract handles the staking and sweeping of a specific, designated stakeToken. Funds related to this specific token are managed securely through the pool's lifecycle states.
Specific Issue/Problem:
Smart contracts frequently receive unsupported ERC20 tokens sent by users either by mistake or due to front-end errors. Because the ConfidencePool contract lacks a generic rescueTokens administrative function, any ERC20 token other than the designated stakeToken that is accidentally sent to the pool will be permanently locked. There is no mechanism for the pool owner or the recovery address to retrieve these stuck funds.
Likelihood:
Reason 1 // Users interacting directly with the contract or using a buggy UI accidentally transfer incorrect tokens (e.g., USDC instead of the designated protocol token).
Impact:
Impact 1 // Permanent loss of funds for the users.
Impact 2 // The tokens remain stuck inside the contract balance forever with no administrative bypass to recover them.
Explanation:
The PoC below illustrates a scenario where a user accidentally transfers random ERC20 tokens to the ConfidencePool address. Because there is no withdrawal function for non-stake tokens, the tokens are permanently stuck, resulting in a total loss of those assets.
Explanation:
Add a rescueTokens function restricted to the contract owner. This function must explicitly prevent the withdrawal of the core stakeToken to maintain the protocol's trust model, while allowing the owner to return accidentally sent unsupported tokens to their rightful owners.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.