·
Rewards obtained from FSTO through the delegation of voting power to signal providers can be stolen by the agent’s owner due to a discrepancy between the reward token’s address and WNAT’s address in the collateralPool contract, leading to the forfeiture of rewards for CPT holders.
- Users contribute their WNATs to the agent’s pool.
- The owner’s agent delegates voting power to signal providers.
- The WNAT address is modified by the asset updater in the Flare Time Series Oracle (FTSO).
- AssetManagerController::updateContracts is invoked by every user, as it does not have access constraints. The agent’s owner identifies the opportunity and executes CollateralPool::claimDelegationRewards, resulting in the transfer of new WNAT to the agent’s pool; however, the totalCollateral remains unchanged due to an inconsistency between the received token and the pool’s collateral token.
- Subsequently, the agent’s owner invokes CollateralPool::upgradeWNatContract, which merely swaps the old WNATs for the new version.
- Finally, the agent’s owner can sweep collected new WNATs as a reward following the announcement of destruction.
Alpha: think what can break if certain admin functions are called. In this case, WNAT address modification allows the agent owner to exploit it.
Conclusion
This finding would earn you $33790, make sure you verify the impact of admin functions.