[M-01] Cannot set or change curve pool after initialization

[code423n4]

Lines of code

https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L78-L81 https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L157-L160

Vulnerability details

https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L78-L81 https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L157-L160

Impact

Inability to set or change curve pool after initialization will hurt the project liquidity and block the ability to instant unstake from curve.

• Approving the CURVE_POOL address is done only on initialize and only if non zero address supplied.
• When using setCurvePool the address changes but not approved, therefore instantUnstakeCurve will fail with any parameters.

Proof of Concept

• Changing the given stakingTest.ts at the beforeEach: https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/test/stakingTest.ts#L120 To: ethers.constants.AddressZero,
• Set the pool later, by doing await staking.setCurvePool(constants.CURVE_POOL);
• Run test
• both "Can instant unstake full amount with curve" and "Can instant unstake partial amount with curve" will fail

Tools Used

Yarn Hardhat

Recommended Mitigation Steps

Add approve to setCurvePool so it will look like this:

    function setCurvePool(address _curvePool) external onlyOwner {
        CURVE_POOL = _curvePool;
        IERC20(TOKE_POOL).approve(CURVE_POOL, type(uint256).max);
        setToAndFromCurve();
    }

[toshiSat]

sponsor confirmed

[KenzoAgada]

The judging sheet mentions this as duplicate of https://github.com/code-423n4/2022-06-yieldy-findings/issues/222 instead of https://github.com/code-423n4/2022-06-yieldy-findings/issues/165.