`setCurvePool` does not approve the new curve pool to transfer the TOKE_POOL token, making it unusable for its intended purpose.

[code423n4]

Lines of code

https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L153-L160 https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L632-L651

Vulnerability details

• Staking.sol#setCurvePool

File: Staking.sol
153:     /**
154:         @notice sets the curve pool address
155:         @param _curvePool uint
156:      */
157:     function setCurvePool(address _curvePool) external onlyOwner {
158:         CURVE_POOL = _curvePool;
159:         setToAndFromCurve();
160:     }

• Staking.sol#setToAndFromCurve

File: Staking.sol
632:     function setToAndFromCurve() internal {
633:         if (CURVE_POOL != address(0)) {
634:             address address0 = ICurvePool(CURVE_POOL).coins(0);
635:             address address1 = ICurvePool(CURVE_POOL).coins(1);
636:             int128 from = 0;
637:             int128 to = 0;
638: 
639:             if (TOKE_POOL == address0 && STAKING_TOKEN == address1) {
640:                 to = 1;
641:             } else if (TOKE_POOL == address1 && STAKING_TOKEN == address0) {
642:                 from = 1;
643:             }
644:             require(from == 1 || to == 1, "Invalid Curve Pool");
645: 
646:             curvePoolFrom = from;
647:             curvePoolTo = to;
648: 
649:             emit LogSetCurvePool(CURVE_POOL, curvePoolTo, curvePoolFrom);
650:         }
651:     }

Consider doing just like in Staking.sol#initialize:

File: Staking.sol
78:         if (CURVE_POOL != address(0)) {
79:             IERC20(TOKE_POOL).approve(CURVE_POOL, type(uint256).max);
80:             setToAndFromCurve();
81:         }

[toshiSat]

duplicate #285

[KenzoAgada]

The judging sheet mentions this as duplicate of #222 instead of #165.