Dispute #396

Court Start Date Dispute Status Current Period Time remaining End Date
Technical 2020-09-24 02:41 Already Ruled Execution Already Ruled 2020-10-08 21:23
Arbitrable Creator

Unique Votes in all the rounds

Yes No Refuse to arbitrate Pending
0 2 0 0

Round 0

Yes No Refuse to arbitrate Pending
0 5 0 0
Round 0 Vote Casting Date
No 2020-10-01 17:39
No 2020-10-01 17:39
No 2020-10-01 17:39
No 2020-10-03 21:07
No 2020-10-03 21:07


Evidences provided by Vagarish

Evidence #1:

Response to previous request Here is the contract for pUNI-v2 https://etherscan.io/address/0xf79ae82dccb71ca3042485c85588a3e0c395d55b You can see the function earn at L868. It sends it to the controller at L871. It is possible for the governance to change the controller (L859). The governance is a timelock https://etherscan.io/address/0xd92c7faa0ca0e6ae4918f3a83d9832d9caeaa0d3#code which is then controlled by a Gnosis multisig https://etherscan.io/address/0x9d074e37d408542fd38be78848e8814afb38db17#code . So the multisig can steal the funds which are deposited (with a delay).

Evidence #2:

Juror's request for further information To the Challenger: I'm unable to find the 'earn' function referred to in your submission. Could you please point me to that part of the contract? To the Requester: Is it correct that staked tokens can be transferred by the owner? If so, what is the worst-case-scenario consequence of this assuming a malicious or fully compromised owner? How does that situation compare to those described in the policy document?

Evidence #3:

Challenge Justification The strategy fails to list the risk of theft of the funds by the contract owner. The owner of the contract ("governance") can change the address of the controller to an address under his control. He could then call 'earn' which would transfer the staked token to the address under his control. The governance is a multisig under a timelock, so the risk can slightly be reduced by look at the transactions queued in the timelock contract. But even then this can still result into a loss of fund due to the 0.5% withdrawal fee. This is a substantial risk which hasn't been disclosed therefore this submission should be rejected.
Check this Case on Kleros Resolve