Platform: Code4rena
Start Date: 04/02/2022
Pot Size: $30,000 USDC
Total HM: 3
Participants: 37
Period: 3 days
Judge: leastwood
Id: 84
League: ETH
Rank: 19/37
Findings: 1
Award: $515.78
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: gellej
Also found by: Czar102, TomFrenchBlockchain, WatchPug, csanuragjain, defsec, hubble, p4st13r4, pedroais
The setSaleRecipient() function can change the sale recipient while a sale is open. This function can be only called by the owner of the contract, however, since:
the saleRecipient is the address that receives all the input tokens deposited by users, and
a comment explicitly says that this address will be citadel multisig (https://github.com/code-423n4/2022-02-badger-citadel/blob/main/contracts/TokenSaleUpgradeable.sol#L92),
this param should not be something that can be changed easily, especially not while a sale is open. In fact this opens up scenarios of funds theft by malicious contract owners
Editor
Add this check:
require(!finalized, "TokenSale: already finalized");
#0 - GalloDaSballo
2022-02-14T13:06:34Z
The functionality was willingly added, I believe the finding to have legitimacy but as with any admin privilege should be downgraded to medium severity
#1 - 0xleastwood
2022-03-14T11:02:29Z
Duplicate of #50