There are multiple benefits to deriving the SHER and USDC token addresses from Sherlock.sol / _sherlockPosition.
Minimises incorrect argument errors / less constructor arguments required
Removes the need for zero argument checks for these arguments (thus saving gas)
Guaranteed correctness of USDC and SHER token addresses (with the exception that they’re wrongly set in SherlockPosition). Should either address be incorrect (accidentally swapped for example), incorrect token approvals would be given, causing the contract to fail. The sale would have to be delayed because any deposited SHER tokens for the sale can only be withdrawn after SherClaim.claimableAt().
Recommended Mitigation Steps
Expose the token and SHER addresses in Sherlock.sol, and allow SherBuy to fetch these values.
Handle
GreyArt
Vulnerability details
Impact
There are multiple benefits to deriving the
SHER
andUSDC
token addresses fromSherlock.sol
/_sherlockPosition
.SherClaim.claimableAt()
.Recommended Mitigation Steps
Expose the
token
andSHER
addresses inSherlock.sol
, and allowSherBuy
to fetch these values.