tsvetanovv - Malicious or hacked admin can steal tokens
Closed this issue · 0 comments
sherlock-admin commented
tsvetanovv
medium
Malicious or hacked admin can steal tokens
Summary
In Bank.sol
we have transferOut() This function is external and can be call only by onlyController
. It is possible malicious or hacked owner to steal tokens.
function transferOut(
address token,
address receiver,
uint256 amount
) external onlyController {
_transferOut(token, receiver, amount);
}
Vulnerability Detail
As can be seen from the code snippet , nothing can stop malicious or hacked admin to steal tokens. He can use address receiver
and send tokens for yourself.
Impact
Malicious or hacked admin can steal tokens.
Code Snippet
function transferOut(
address token,
address receiver,
uint256 amount
) external onlyController {
_transferOut(token, receiver, amount);
}
Tool used
Manual Review
Recommendation
For more certain it is good to add timelock mechanism.