The YieldSourcePrizePool.initializeYieldSourcePrizePool should use EIP-165 to detect valid yield sources instead of the "hack" with the depositToken function.
// A hack to determine whether it's an actual yield source
(bool succeeded,) = address(_yieldSource).staticcall(abi.encode(_yieldSource.depositToken.selector));
require(succeeded, "YieldSourcePrizePool/invalid-yield-source");
Impact
It's better to detect and check for the entire yield source interface instead of just the depositToken function as many contracts have a similar function.
Handle
cmichel
Vulnerability details
The
YieldSourcePrizePool.initializeYieldSourcePrizePool
should use EIP-165 to detect valid yield sources instead of the "hack" with thedepositToken
function.Impact
It's better to detect and check for the entire yield source interface instead of just the
depositToken
function as many contracts have a similar function.Recommended Mitigation Steps
Use EIP-165.