TIMELOCK_ROLE Has Absolute Power to Withdraw All FUND May Raise Red Flags for Investors #125
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
Comments
code423n4
added
3 (High Risk)
|
This is not a duplicate of #263, where 263 talks about sidestepping the delay of the timelock, this finding talks about the high degree of power that the TIMELOCK_ROLE has. This is a typical "admin privilege" finding, it's very important to disclose admin privileges to users so that they can make informed decisions In this case the TIMELOCK_ROLE can effectively rug the protocol, however this is contingent on the account that has the role to pull the rug. Because of it's reliance on external factors, am downgrading the finding to medium severity |
GalloDaSballo
added
2 (Med Risk)
This was referenced Sep 1, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
Meta0xNull
Vulnerability details
Impact
TIMELOCK_ROLE Can Withdraw All FUND from the Contracts via emergencyWithdrawGAS(), emergencyWithdraw(), partialWithdrawGAS(), partialWithdraw().
While I believe developer have good intention to use these functions. It often associate with Rug Pull by developer in the eyes of investors because Rug Pull is not uncommon in Defi. Investors lose all their hard earn money.
Read More: $10.8M Stolen, Developers Implicated in Alleged Smart Contract 'Rug Pull'
https://www.coindesk.com/tech/2020/12/02/108m-stolen-developers-implicated-in-alleged-smart-contract-rug-pull/
Read More: The Rise of Cryptocurrency Exit Scams and DeFi Rug Pulls
https://www.cylynx.io/blog/the-rise-of-cryptocurrency-exit-scams-and-defi-rug-pulls/
Proof of Concept
https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/Permissions.sol#L80-L109
Tools Used
Manual Review
Recommended Mitigation Steps
The text was updated successfully, but these errors were encountered: