Closed code423n4 closed 2 years ago
We withdraw to the yield source first to be able to calculate the actual amount of tokens that was transferred by the Aave pool and not only assume that the amount returned by the withdraw
function is the correct amount.
So for this reason, I have disputed the issue.
Fees are naturally incorporated in calculations so this looks more like a dev decision than a risk. Marking as invalid.
Lines of code
https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L258-L263
Vulnerability details
Impact
The current implementation withdraws the underlying asset to the yield source contract before transferring it to the
msg.sender
. This extra step unnecessarily incurs a fee which will likely cause problems for the recipient contract.Proof of Concept
https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L258-L263
Tools Used
Code inspection
Recommended Mitigation Steps
Rather than using
address(this)
as thewithdraw()
recipient, use the final destination,msg.sender
instead