code423n4 commented 2 years ago

Handle

broccolirob

Vulnerability details

The transfer function on ERC20 tokens returns a boolean value if successful. That value is not checked in several places in the Yeti protocol. Yeti has to whitelist, but it's unreasonable to think they can monitor for all implementation changes across all tokens.

Sending gains function

Impact

Internal balances will be inaccurate if transfer's fail.

Proof of Concept

Yeti whitelists USDC to be used as collateral.
User deposits USDC to stability pool.
USDC updates the contract behind their proxy to an implementation of transfer that returns false under certain circumstances.
User goes to withdraw, USDC transfer fails silently but user's account is updated as if it succeeded.

Tools Used

Recommended Mitigation Steps

Use OpenZeppelin's SafeERC20, or ensure that the transfer/transferFrom return value is always checked.

kingyetifinance commented 2 years ago

@LilYeti: Duplicate with #1 and is medium / level 2 severity

kingyetifinance commented 2 years ago

Fixed

alcueca commented 2 years ago

Duplicate of #94

code-423n4 / 2021-12-yetifinance-findings