KenzoAgada
commented
2 years ago The linked function receives a parameter which can set the the value of the mapping to be false, thereby unignoring any pair.
Closed code423n4 closed 2 years ago
KenzoAgada
commented
2 years ago The linked function receives a parameter which can set the the value of the mapping to be false, thereby unignoring any pair.
alcueca
commented
2 years ago Disputed for the reason stated above.
PierrickGT
commented
2 years ago As mentioned by Kenzo, the setIgnoredPair function accepts a bool ignore parameter which allows a pair to be added or removed from the ignoredPairs mapping as was suggesting the warden.
For this reason, I have labelled this issue as invalid.
Lines of code
https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L150-L157
Vulnerability details
Impact
The Witch contract uses
setIgnoredPairfunction to prevent the liquidation of accepted pairs on the governance level. However, there is no method to remove these pairs from theignoredPairsmapping.Proof of Concept
Imagine there are vaults with UST/fyUST pair and this pair can not be liquidated. It will eventually lead the Yield to be in bad debt if any stable token loses the pegging in the future.
https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L150-L157
Tools Used
Manual review
Recommended Mitigation Steps
The team might consider implementing a method to remove pairs off the
ignoredPairsmapping.