Open code423n4 opened 2 years ago
As it is the factory that has the approval in this context, we cannot be sure that no other operator will change the allocation. So we prefer call the setMaxAllowance in final process to be sure that the factory has the allowance.
BeefyVaultOperator.sol
deposit: setMaxAllowance should be called in the constructor
In the
deposit
function on line 48, we callExchangeHelpers.setMaxAllowance(token, vault);
to allow thevault
to spendtoken
.Each time assets are deposited in the vault, we shouldn't have to allow it to spend the token again. I recommend to call
ExchangeHelpers.setMaxAllowance(token, vault)
only once in the constructor for each vault and token. I also recommend to add asetMaxAllowance
function only callable by the owner of the operator that would allow to set the max allowance in case the allowance has decreased.Recommendation:
BeefyZapBiswapLPVaultOperator.sol and BeefyZapUniswapLPVaultOperator.sol
zapAndStakeLp: setMaxAllowance should be called in the constructor
In the
_zapAndStakeLp
function on line 189 and subsequently on line 194 and 195 we callExchangeHelpers.setMaxAllowance();
to allow thevault
to spendtoken
.Each time assets are deposited in the vault, we shouldn't have to allow it to spend the token again. I recommend to call
ExchangeHelpers.setMaxAllowance()
only once in the constructor for each vault and token. I also recommend to add asetMaxAllowance
function only callable by the owner of the operator that would allow to set the max allowance in case the allowance has decreased.This will also avoid calling
ExchangeHelpers.setMaxAllowance(IERC20(swapToken), router);
in the_withdrawAndSwap
function on line 162.Recommendation:
YearnCurveVaultOperator.sol
depositETH: setMaxAllowance should be called in the constructor
In the
depositETH
function on line 78, we callExchangeHelpers.setMaxAllowance(IERC20(address(weth)), address(withdrawer));
to allow thewithdrawer
to spendweth
.Each time assets are deposited in the vault, we shouldn't have to allow the withdrawer to spend weth again. I recommend to call
ExchangeHelpers.setMaxAllowance(IERC20(address(weth)), address(withdrawer))
only once in the constructor. I also recommend to add asetMaxAllowance
function only callable by the owner of the operator that would allow to set the max allowance in case the allowance has decreased.Recommendation:
StakingLPVaultHelpers.sol
addLiquidityAndDepositETH: setMaxAllowance should be called in addVault
In the
addLiquidityAndDepositETH
function on line 45, we callExchangeHelpers.setMaxAllowance(lpToken, vault);
to allow thevault
to spendlpToken
.Each time assets are deposited in the vault, we shouldn't have to allow the vault to spend lpToken again. I recommend to call
ExchangeHelpers.setMaxAllowance(lpToken, vault);
only once in the addVault function of the YearnVaultStorage. I also recommend to add asetMaxAllowance
function only callable by the owner that would allow to set the max allowance in case the allowance has decreased.This will also avoid calling it in the
_addLiquidityAndDeposit
function on line 77Recommendation: