Loss of potential yield resulting in pools being less attractive to users.
Proof of Concept
The AaveTempusPool contract deposits funds into Aave in return for aTokens. The AaveTempusPool contract will then be eligible for liquidity mining rewards but has no function which would allow it to claim those rewards.
To get around this Tempus would have to periodically get Aave governance to whitelist them to take the AaveTempusPools rewards on their behalf (unlikely to happen due to governance overhead).
Recommended Mitigation Steps
Add a function to claim Aave LM rewards and put them to use in some fashion. e.g. Liquidate to underlying asset to provide yield to users or direct into community treasury if unable to do the former.
Handle
TomFrench
Vulnerability details
Impact
Loss of potential yield resulting in pools being less attractive to users.
Proof of Concept
The
AaveTempusPoolcontract deposits funds into Aave in return for aTokens. TheAaveTempusPoolcontract will then be eligible for liquidity mining rewards but has no function which would allow it to claim those rewards.https://github.com/tempus-finance/tempus-protocol/blob/0240b4d172d7aa093a70e0401f4140c99aa30dc6/contracts/pools/AaveTempusPool.sol#L66
To get around this Tempus would have to periodically get Aave governance to whitelist them to take the
AaveTempusPools rewards on their behalf (unlikely to happen due to governance overhead).Recommended Mitigation Steps
Add a function to claim Aave LM rewards and put them to use in some fashion. e.g. Liquidate to underlying asset to provide yield to users or direct into community treasury if unable to do the former.