SoyFinance / smart-contracts

11 stars 9 forks source link

Security Flaw: withdrawal function depends on external contract behavior #12

Closed Dexaran closed 3 years ago

Dexaran commented 3 years ago

Withdrawal function has "updateReward(msg.sender)" modifier which calls external contract Global Farm which is possibly upgradeable https://github.com/SoyFinance/smart-contracts/blob/aca333e173185295791e4da0db552a72e36a533c/Farming/SOYStakingRewards.sol#L279

This interaction dependencies can lead to a situation where a flaw or fault on the Global Farm contract can cause user to become unable to withdraw LP tokens from the farm.

Moreover it is hard to guarantee that upgradeability will not cause any problems to this contract system in the whole future.

It would be better to have an "emergency withdraw" function that would behave independently from any external contracts.

Dexaran commented 3 years ago

Not relevant since https://github.com/SoyFinance/smart-contracts/commit/8ac3f514ce99dfed2449103171c28f8eaf98a675