Paladin - Warden Pledges contest - 0xhunter's results

Lines of code

https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L653-L661

Vulnerability details

recoverERC20 function is deployed so users who have accidently sent erc20 tokens to the contract be able to recover them. recoverERC20 uses if(minAmountRewardToken[token] != 0) revert Errors.CannotRecoverToken(); to check if token was set to one of the RewardTokens or not minAmountRewardToken is always more than 0 because in createPledge a pledge has to contain a uint256 which cant be set to 0 . there are some erc20 tokens that have multiple entry points , one of them is a proxy and another one is the main contract it self . if one of those tokens that was set as rewardToken at createPledge had multiple entry points , then it is possible to call recoverERC20 and bypass if(minAmountRewardToken[token] != 0) revert Errors.CannotRecoverToken(); and steal rewardtoken's funds .

recommendation : use a loop , 1-check all of currently rewardtokens's balances , stack them up and then check if the balance is changed after the transfer or not 2- remove this function , since it may cause lots of gas to check whole the rewardtoken's balances , the best way is to remove this function 3-move user's funds to another contract , in lines 333 394 438 , use another contract address instead of address.this so users who had sent erc20 tokens accidnetly to address.this be able to recover them without being able to steal rewardtokens