search

code-423n4 / 2022-04-jpegd-findings

1 stars 1 forks source link

old strategy approval is not set to false #118

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/vaults/yVault/Controller.sol#L82

Vulnerability details

Impact

While updating the strategy, it was observed that old strategy approval was not set to false

Proof of Concept

  1. Observe the setStrategy function
  2. View that there is no functionality to set approvedStrategies[_token][_current] to false

Recommended Mitigation Steps

Set approvedStrategies[_token][_current]=false

spaghettieth commented 2 years ago

That is intended as strategies in the approvedStrategies mapping can be interchanged if needed.

dmvt commented 2 years ago

Out of scope and easily fixable. Invalid.