Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Owner or Managers can rug Aave rewards #89

Open
code423n4 opened this issue May 1, 2022 · 1 comment
Open

Owner or Managers can rug Aave rewards #89

code423n4 opened this issue May 1, 2022 · 1 comment
Assignees
@PierrickGT
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L275-L282

Vulnerability details

Impact

A malicious owner or manager can steal all Aave rewards that are meant for PoolTogether users

Even if the user is benevolent the fact that there is a rug vector available may negatively impact the protocol's reputation.

Proof of Concept

File: contracts/AaveV3YieldSource.sol   #X

275     function claimRewards(address _to) external onlyManagerOrOwner returns (bool) {
276       require(_to != address(0), "AaveV3YS/payee-not-zero-address");
277   
278       address[] memory _assets = new address[](1);
279       _assets[0] = address(aToken);
280   
281       (address[] memory _rewardsList, uint256[] memory _claimedAmounts) = rewardsController
282         .claimAllRewards(_assets, _to);

https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L275-L282

the claimRewards() function allows the caller to send the rewards to an arbitrary address

Tools Used

Code inspection

Recommended Mitigation Steps

Use a poolAddressesProviderRegistry-like contract to determine where the rewards should go, instead of letting an address be passed in
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 1, 2022
code423n4 added a commit that referenced this issue May 1, 2022
@code423n4
IllIllI issue #89
c12d2c7
@PierrickGT PierrickGT self-assigned this May 4, 2022
@PierrickGT
Copy link
Member

Duplicate of #55

@PierrickGT PierrickGT marked this as a duplicate of #55 May 4, 2022
@PierrickGT PierrickGT added the duplicate This issue or pull request already exists label May 4, 2022
@gititGoro gititGoro removed the duplicate This issue or pull request already exists label May 18, 2022
@gititGoro gititGoro mentioned this issue May 18, 2022
Closed
@JeeberC4 JeeberC4 reopened this May 20, 2022
This was referenced Sep 1, 2023
Closed
Closed
Closed
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PierrickGT PierrickGT

Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@PierrickGT @gititGoro @code423n4 @JeeberC4