code423n4 commented 2 years ago

Handle

WatchPug

Vulnerability details

https://github.com/code-423n4/2021-12-yetifinance/blob/5f5bf61209b722ba568623d8446111b1ea5cb61c/packages/contracts/contracts/YetiFinanceTreasury.sol#L28-L30

function updateTeamWallet(address _newTeamWallet) external onlyTeam {
    teamWallet = _newTeamWallet;
}

YetiFinanceTreasury.teamWallet is a critical role, if the current teamWallet mistakenly called updateTeamWallet() with a wrong address, it can result in all the onlyTeam() methods being unaccessible, and it cannot be undo.

Recomandation

Consider changing the updateTeamWallet() function to first nominate an address as the pending teamWallet and adding an acceptTeamWallet() function which is called by the pending teamWallet to confirm the transfer.

kingyetifinance commented 2 years ago

@LilYeti: Duplicate #115

alcueca commented 2 years ago

Taking this as main

code-423n4 / 2021-12-yetifinance-findings

`YetiFinanceTreasury.sol#updateTeamWallet()` should implement two-step transfer pattern #251

Handle

Vulnerability details

Recomandation