asselstine
commented
3 years ago Open code423n4 opened 3 years ago
asselstine
commented
3 years ago 
GalloDaSballo
commented
3 years ago The sponsor has mitigated in a subsequent PR Personally am not a fan of the check as it offers no guarantees besides the function being implemented
Handle
pauliax
Vulnerability details
Impact
Low-level calls like staticcall return true even if the account called is non-existent (per EVM design) so this hack in YieldSourcePrizePool constructor will not work in certain cases: // A hack to determine whether it's an actual yield source (bool succeeded, ) = address(_yieldSource).staticcall( abi.encodePacked(_yieldSource.depositToken.selector) );
You can try to pass an EOA address and see that it will return true.
Recommended Mitigation Steps
Account existence must be checked prior to calling. A similar issue was submitted in a previous contest and assigned a severity of low, you can find more details here: https://github.com/code-423n4/2021-04-basedloans-findings/issues/16