asselstine
commented
3 years ago This is an interesting one:
- the yield source interface does not require the deposit be tokenized; the implementation is entirely up to the yield source.
- the _canAwardExternal is a legacy of older code. Since it had to be included it was set to assume the yield source was tokenized.
Since yield sources are audited and analyzed, I think this is a pretty low risk. Additionally, not all of the yield sources are tokenized (Badger and Sushi are not), so it isn't a risk for them.
We could have canAwardExternal on the yield source itself, but it would add gas overhead.
aodhgan
Handle
cmichel
Vulnerability details
The idea of
YieldSourcePrizePool_canAwardExternalseems to be to disallow awarding the interest-bearing token of the yield source, like aTokens, cTokens, yTokens.However, the code checks
_externalToken != address(yieldSource)whereyieldSourceis the actual yield strategy contract and not the strategy's interest-bearing token. Note that theyieldSourceis usually not even a token contract except forATokenYieldSourceandYearnV2YieldSource.Impact
The
_canAwardExternaldoes not work as expected. It might be possible to award the interest-bearing token which would lead to errors and loss of funds when trying to redeem underlying.Recommended Mitigation Steps
There doesn't seem to be a function to return the interest-bearing token. It needs to be added, similar to
depositToken()which retrieves the underlying token.