Closed code423n4 closed 3 years ago
These are actually five different code bases. If there was an internal inconsistency in one I agree that this would be a problem; however the yield sources each live independently in their own projects.
Agree with the sponsor on this one. Insistent use across multiple code bases is not an issue nor does it represent a vulnerability vector.
Handle
shw
Vulnerability details
Impact
In some contracts such as
PrizePool
, the Openzeppelin's implementation_msgSender()
is used to get the sender, while in other contracts such as*YieldSource
,msg.sender
is directly used instead. Inconsistency usage could make the codebase more difficult to maintain and could possible introduce errors if the_msgSender()
is overridden to other implementations in the future.Proof of Concept
Referenced code: Please use
grep -R '_msgSender()' .
andgrep -R 'msg\.sender' .
to find those contracts.Recommended Mitigation Steps
Change all
msg.sender
to_msgSender()
. Make the yield source contracts inherit from Openzeppelin'sContextUpgradeable
if necessary.