Centralization risk
Description
In the claimAdditionalRewards
function, the contract checks if the target is whitelisted and if the rewards-asset address is not the underlying or strategy address. This prevents even the owner from withdrawing the underlying
or strategy
tokens. However, the admin can set the target
address to strategy
by allowing the strategy
address to be whitelisted, and then the admin can withdraw all the strategy
tokens using the approve
function. This centralization risk can prevent users from withdrawing their unclaimed rewards.
require(whitelistedTargets[target][functionSelector], "Target not whitelisted");
require(rewardsAsset != address(underlying), "Cannot claim underlying asset");
require(rewardsAsset != address(strategy), "Cannot claim strategy asset");
require(rewardsAsset != address(this), "Cannot claim vault asset");
Impact
By abusing this functionality with an admin account, the admin can withdraw all the strategy
tokens.
Recommendations
Add a check for the target
address.
Remediation
This issue has been acknowledged by StakeKit, and a fix was implemented in commit 3d9b9f45↗.