Closed code423n4 closed 2 years ago
As specified in the readme: https://github.com/code-423n4/2022-01-yield#interacting-directly-with-smart-contracts
The finding is invalid as the contract is explicitly not supposed to hold any funds as it is intended to be interacted with by other contracts
Handle
GeekyLumberjack
Vulnerability details
Impact
The caller of
unwrap()
would receive all of the unwrapped convex tokens. Potentially depriving the user of all collateral and any rewards.Proof of Concept
This portion of the readme describes the process that leads to the vulnerability.
When step 4 is executed the funds will be in
ConvexYieldWrapper
and an attacker who calls unwrap() can have all the funds and rewards sent to any address.Tools Used
Manual analysis
Recommended Mitigation Steps
Add access controls to
unwrap()