Closed code423n4 closed 2 years ago
iamsahu
commented
2 years ago They are different tokens. The ones that would be passed in the constructor are: curveToken: 0x6c3F90f043a72FA612cbac8115EE7e52BDe6E490 convexToken: 0x30d9410ed1d5da1f6c8391af5338c93ab8d4035c
GalloDaSballo
commented
2 years ago I can see where the warden came from in terms of the variable names being deceiving, but ultimately those are different tokens hence the finding is invalid
Handle
sirhashalot
Vulnerability details
Impact
The ConvexStakingWrapper.sol contract looks like it has duplicate variables storing the addresses of the CRV and CVX token contracts. Removing the duplicate variables can save gas.
Proof of Concept
The Yield contract contains both the constant variables and the constructor input parameters to store the same information.
Recommended Mitigation Steps
Remove the unnecessary _curveToken input parameter and _convexToken input parameter from the ConvexStakingWrapper.sol contract constructor because these values are stored in the constant variables crv and cvx.