Open code423n4 opened 3 years ago
We considered this, but it's possible for a malicious user to "drain" the approval of the contract, so there would need to be checks to see if approval dropped below a certain level. We opted to leave out the complexity.
Actually, we'll tackle this. We will:
Add the function to approve max again to the Idle yield source: https://github.com/code-423n4/2021-06-pooltogether/blob/85f8d044e7e46b7a3c64465dcd5dffa9d70e4a3e/contracts/yield-source/IdleYieldSource.sol#L65
Handle
cmichel
Vulnerability details
ATokenYieldSource
should approve the lending contract once during initialization with the max value. This saves gas on everysupplyTokenTo/_depositToAave
call as the approval can be removed from there.