ConfidencePool contract has ERC20 token integration because an ERC20 token is used for staking and operations
ie ConfidencePool's stake, withdraw, contributeBonus transfer ConfidencePool::stakeToken ERC20 token
However, ConfidencePool contract does not implement a function to recover ERC20 tokens different than ConfidencePool::stakeToken directly sent to ConfidencePool contract
This lack of ability makes tokens (WETH for example) directly sent to this contract stuck in the pool forever and unable to be recovered
Likelihood:
Low
A user has to directly send tokens to ConfidencePool address
Impact:
High
Tokens send to a ConfidencePool are unable to be recovered, and permanent stuck in ConfidencePool
Create a Pool via ConfidencePoolFactory::createPool
Get address POOL_ADDR of created pool
Send tokens to POOL_ADDR with token != ConfidencePool::stakeToken
Tokens cannot be retrieved and are stuck forever
Implement a function onlyOwner callable to recover tokens (different than stakeToken token) that allows to send out from contract
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.