Pledge creators can be rug pulled anytime

[code423n4]

Lines of code

https://github.com/code-423n4/2022-10-paladin/blob/66f9fcc813e220906a13e779b3198891e30459cc/contracts/WardenPledge.sol#L653

Vulnerability details

Proof of Concept

When a user creates a new Pledge, the contract transfers the reward amount of rewardToken from his address to the contract’s address. The issue is that the contract allows the contract’s owner to just transfer those rewardTokens to himself anytime without having to delegate any boost to the Pledge creator.

Steps:

1. A user creates a new Pledge and 1000 rewardToken are transferred from his wallet to the contract
2. The contract owner calls removeRewardToken to set minAmountRewardToken[token] **=** *0*
3. The contract owner calls recoverERC20 with the address of the rewardToken
4. Now the 1000 rewardToken are in the owner’s wallet, without him joining the pledge and delegating any boost, while the contract is left with 0 rewardToken and no one can join that particular pledge anymore

Impact

This gives 100% power of the admin to steal any user’s “pledged” reward tokens any time. This can happen not only with a compromised owner wallet but with an owner that turned malicious also.

Recommendation

Remove the recoverERC20 functionality, since it is not needed for the protocol’s functionality and is only there to “Recovers ERC2O tokens sent by mistake to the contract”

[Kogaroshi]

Duplicate of #17

[c4-judge]

kirk-baird marked the issue as not a duplicate

[c4-judge]

kirk-baird marked the issue as duplicate

[c4-judge]

kirk-baird marked the issue as satisfactory

[c4-judge]

kirk-baird marked the issue as not a duplicate

[c4-judge]

kirk-baird marked the issue as duplicate of #17

[c4-judge]

Simon-Busch marked the issue as duplicate of #68