Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L153-L160 https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L632-L651
File: Staking.sol 153: /** 154: @notice sets the curve pool address 155: @param _curvePool uint 156: */ 157: function setCurvePool(address _curvePool) external onlyOwner { 158: CURVE_POOL = _curvePool; 159: setToAndFromCurve(); 160: }
File: Staking.sol 632: function setToAndFromCurve() internal { 633: if (CURVE_POOL != address(0)) { 634: address address0 = ICurvePool(CURVE_POOL).coins(0); 635: address address1 = ICurvePool(CURVE_POOL).coins(1); 636: int128 from = 0; 637: int128 to = 0; 638: 639: if (TOKE_POOL == address0 && STAKING_TOKEN == address1) { 640: to = 1; 641: } else if (TOKE_POOL == address1 && STAKING_TOKEN == address0) { 642: from = 1; 643: } 644: require(from == 1 || to == 1, "Invalid Curve Pool"); 645: 646: curvePoolFrom = from; 647: curvePoolTo = to; 648: 649: emit LogSetCurvePool(CURVE_POOL, curvePoolTo, curvePoolFrom); 650: } 651: }
Consider doing just like in Staking.sol#initialize:
File: Staking.sol 78: if (CURVE_POOL != address(0)) { 79: IERC20(TOKE_POOL).approve(CURVE_POOL, type(uint256).max); 80: setToAndFromCurve(); 81: }
duplicate #285
The judging sheet mentions this as duplicate of #222 instead of #165.
Lines of code
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L153-L160 https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L632-L651
Vulnerability details
Consider doing just like in Staking.sol#initialize: