Closed code423n4 closed 2 years ago
It is not used in anywhere else in the code so I don't think this is an issue.
It is used in LegacyController https://github.com/code-423n4/2021-09-yaxis/blob/cf7d9448e70b5c1163a1773adb4709d9d6ad6c99/contracts/v3/controllers/LegacyController.sol#L164
As far as I understand, LegacyController.withdraw
can only be called by the legacy metavault contract. If this is a trusted / whitelisted user, then I would say that there is no risk. Would be useful if @Haz077 or another dev could confirm this. If this is the case, then changing the tag to "sponsor disputed" sounds good to me.
Yes, the Metavault is trusted as it doesn't allow contract depositors/withdrawers.
Agree with sponsor
Note for sponsor: There's an EIP that may not allow you to disable contracts from interacting, see: https://eips.ethereum.org/EIPS/eip-3074
Handle
tensors
Vulnerability details
Impact
The view functions in StablesConverter.sol can be manipulated to give incorrect answers by flashloan attacks. Using them within the code in a naive way can lead to lost funds.
Example
https://github.com/code-423n4/2021-09-yaxis/blob/cf7d9448e70b5c1163a1773adb4709d9d6ad6c99/contracts/v3/converters/StablesConverter.sol#L169
Recommendations
Make sure the functions are only used as estimates (for example, on the UI). Furthermore, add a comment so that new developers working on the code base realize the same thing. Dont use this function in the rest of the code.