code-423n4 / 2021-06-pooltogether-findings

0 stars 0 forks source link

Use ERC-165 instead of homebrew staticcall-based check #104

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

axic

Vulnerability details

Impact

YieldSourcePrizePool has a check for the supplied yieldSource to be adhering to the interface. This is done via a manual staticcall to one function (depositToken).

The more widespread pattern is using the ERC-165 interface, which not only checks a single functions, but a complete interface.

The staticcall approach has the possibility of wasting gas, should the recipient perform a lot of steps before hitting an exception.

Proof of Concept

This is not critical.

Tools Used

Manual review.

Recommended Mitigation Steps

Use the ERC-165 standard.

dmvt commented 3 years ago

The impact is gas related, so changing to G