#46858 [SC-High] The agent owner can exploit a malicious rewardManager to steal tokens from the protocol

Submitted on Jun 5th 2025 at 11:35:35 UTC by @ayden for Audit Comp | Flare | FAssets

• Report ID: #46858

• Report Type: Smart Contract

• Report severity: High

• Target: https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/CollateralPool.sol

• Impacts:

  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Description

Brief/Intro

In the CollateralPool.sol::claimDelegationRewards() / claimAirdropDistribution(). The agent owner can specify any arbitrary or malicious contract address, as there is no validation on the provided address. After claiming reward tokens from an external contract, the totalCollateral value is increased based on the return value of the external call.

However, the contract does not verify whether the claimed tokens were actually transferred to itself. If the external contract does not transfer the expected tokens, totalCollateral will be artificially inflated. This allows the agent owner to exit the pool with more tokens than they are entitled to, potentially resulting in a loss of funds for other users.

Vulnerability Details

Let's take claimAirdropDistribution as example:

    function claimAirdropDistribution(
        IDistributionToDelegators _distribution,
        uint256 _month
    )
        external
        onlyAgent
        returns(uint256)
    {
        uint256 claimed = _distribution.claim(address(this), payable(address(this)), _month, true);
        totalCollateral += claimed;
        emit ClaimedReward(claimed, 0);
        return claimed;
    }

totalCollateral is increased by claimed , but whether the claimed tokens were actually transferred is not checked.

Impact Details

Protocol users lost of funds

References

Proof of Concept

Proof of Concept

add test to CollateralPool.ts: