You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: Description RescueRewardTokens doesn't prevent sweeping away the underlying deposits
Any token can be reward, some / most new gauges (e.g. Convex / Aura) are ERC4626 tokens meaning they can be sweeped away as well
Attack Scenario
For whatever reason, either via a Multisig Compromise, or a Governance takeover, the manager decides to sweep away the Tokenized Deposits, breaking the protocol functionality and stealing deposits
function rescueRewardTokens(IERC20reward, addressreceiver) external onlyManager {
require(!protected(reward)); // Check if token is protected, make gauges protected when staking starts
reward.safeTransfer(receiver, reward.balanceOf(address(this)));
}
The text was updated successfully, but these errors were encountered:
Thanks for the report. Underlying tokens that are deposited are never owned by the IncentivesController. It either immediately stakes the tokens or unstakes them and sends them back to the aToken contract. Thus, such a risk would not pose a problem.
Github username: @GalloDaSballo
Submission hash (on-chain): 0x39e6bdd72c6d292861d39347759d05434e7dfa37f4bbf1c8f6089f093fe6de87
Severity: low severity
Description:
Description
RescueRewardTokens
doesn't prevent sweeping away the underlying depositsAny token can be reward, some / most new gauges (e.g. Convex / Aura) are ERC4626 tokens meaning they can be sweeped away as well
Attack Scenario
For whatever reason, either via a Multisig Compromise, or a Governance takeover, the
manager
decides to sweep away the Tokenized Deposits, breaking the protocol functionality and stealing depositsCode Snippet
VMEX-0x050183b53cf62bcd6c2a932632f8156953fd146f/packages/contracts/contracts/protocol/incentives/ExternalRewardDistributor.sol
Lines 150 to 151 in f14637d
POC
reward.safeTransfer(AURA_DEPOSIT, AMT, {"from": manager})
Revised Code File
The text was updated successfully, but these errors were encountered: