Haz077
commented
3 years ago harvestStrategy in Controller.sol and earn in Vault.sol have notHalted modifier which makes it unnecessary to add it again in Earn and Harvest of Harvester.sol
Closed code423n4 closed 2 years ago
Haz077
commented
3 years ago harvestStrategy in Controller.sol and earn in Vault.sol have notHalted modifier which makes it unnecessary to add it again in Earn and Harvest of Harvester.sol
uN2RVw5q
commented
3 years ago It seems that harvesters can be added using https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/Harvester.sol#L150 and it allows any address to be a harvestor. So if an arbitrary address is added as a harvestor (that is, it is not a Controller contract), then it would be able to call harvestStrategy even when the contract is halted.
If this is possible, then adding the modifier is recommend. If addHarvestor is always a Controller contract, then consider documenting this and changing the tag to documentation.
uN2RVw5q
commented
3 years ago I think this is a duplicate of https://github.com/code-423n4/2021-09-yaxis-findings/issues/10
GalloDaSballo
commented
2 years ago Sponsor ended up mitigating and agreeing in substance
Duplicate of #10
Handle
0xsanson
Vulnerability details
Impact
Functions Earn and Harvest of Harvester.sol work also when the manager is set to halted. Probably this is an unintented behaviour.
Tools Used
editor
Recommended Mitigation Steps
Add notHalted modifier to aforementioned functions.