code-423n4 / 2021-06-pooltogether-findings

0 stars 0 forks source link

`BadgerYieldSource` and `SushiYieldSource` are not upgradeable #113

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

shw

Vulnerability details

Impact

The contracts BadgerYieldSource and SushiYieldSource are not upgradeable since they do not inherit from any Openzeppelin's upgradeable contract (e.g., ERC20Upgradeable) as the other yield source contracts.

Proof of Concept

Referenced code: BadgerYieldSource.sol#L13 SushiYieldSource.sol#L13

Recommended Mitigation Steps

Make BadgerYieldSource and SushiYieldSource upgradable.

asselstine commented 3 years ago

We don't want them to be upgradeable! It's a feature not a bug.

dmvt commented 3 years ago

Per sponsor, feature, not bug. Closing.