FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: medium
Likelihood: low

ConfidencePool does not implement a function to recover other ERC20 tokens (different than ConfidencePool::stakeToken) sent to ConfidencePool making stuck forever

Author Revealed upon completion

Description

ConfidencePool contract has ERC20 token integration because an ERC20 token is used for staking and operations
ie ConfidencePool's stake, withdraw, contributeBonus transfer ConfidencePool::stakeToken ERC20 token

However, ConfidencePool contract does not implement a function to recover ERC20 tokens different than ConfidencePool::stakeToken directly sent to ConfidencePool contract

This lack of ability makes tokens (WETH for example) directly sent to this contract stuck in the pool forever and unable to be recovered

Risk

Likelihood:
Low
A user has to directly send tokens to ConfidencePool address

Impact:
High

Tokens send to a ConfidencePool are unable to be recovered, and permanent stuck in ConfidencePool

Proof of Concept

  1. Create a Pool via ConfidencePoolFactory::createPool

  2. Get address POOL_ADDR of created pool

  3. Send tokens to POOL_ADDR with token != ConfidencePool::stakeToken

  4. Tokens cannot be retrieved and are stuck forever

Recommended Mitigation

Implement a function onlyOwner callable to recover tokens (different than stakeToken token) that allows to send out from contract

function recoverToken(address _token, address recover_to) external onlyOwner {
require(recover_to != address(0), "recover_to should not be zero address")
require(_token != address(stakeToken), "token should not be stakeToken");
uint256 balance = IERC20(_token).balanceOf(address(this));
require(balance != 0, "Cant recover zero balance");
IERC20(_token).safeTransfer(recover_to, balance);
emit TokenRecovery(_token, balance);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!