code-423n4 / 2022-01-sherlock-findings

0 stars 0 forks source link

SherBuy: SHER and USDC token addresses should be derived from _sherlockPosition #222

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

GreyArt

Vulnerability details

Impact

There are multiple benefits to deriving the SHER and USDC token addresses from Sherlock.sol / _sherlockPosition.

Recommended Mitigation Steps

Expose the token and SHER addresses in Sherlock.sol, and allow SherBuy to fetch these values.

constructor(
    uint256 _stakeRate,
    uint256 _buyRate,
    ISherlock _sherlockPosition,
    address _receiver,
    ISherClaim _sherClaim
) {
    ...
    // TODO: ISherlock to expose token() and sher() addresses
    usdc = _sherlockPosition.token();
    sher = _sherlockPosition.sher();
}