search

code-423n4 / 2021-06-pooltogether-findings

0 stars 0 forks source link

`YieldSourcePrizePool` should use EIP-165 to detect valid yield sources #83

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

The YieldSourcePrizePool.initializeYieldSourcePrizePool should use EIP-165 to detect valid yield sources instead of the "hack" with the depositToken function.

// A hack to determine whether it's an actual yield source
(bool succeeded,) = address(_yieldSource).staticcall(abi.encode(_yieldSource.depositToken.selector));
require(succeeded, "YieldSourcePrizePool/invalid-yield-source");

Impact

It's better to detect and check for the entire yield source interface instead of just the depositToken function as many contracts have a similar function.

Recommended Mitigation Steps

Use EIP-165.

asselstine commented 3 years ago

Severity is 0 (Non-critical), as in https://github.com/code-423n4/2021-06-pooltogether-findings/issues/104.

dmvt commented 3 years ago

duplicate of #104