Open code423n4 opened 1 year ago
minhquanym marked the issue as primary issue
0xRektora marked the issue as disagree with severity
We don't need to use approvals because the intended use is for contracts, not EOAs. But this opens a new problem. Should be marked as Informational
.
0xRektora marked the issue as sponsor confirmed
dmvt changed the severity to QA (Quality Assurance)
dmvt marked the issue as grade-b
Lines of code
https://github.com/Tapioca-DAO/tapiocaz-audit/blob/bcf61f79464cfdc0484aa272f9f6e28d5de36a8f/contracts/tOFT/modules/BaseTOFTStrategyModule.sol#L89-L120
Vulnerability details
Impact
Input param
ICommonData.IApproval[] approvals
is missing for functionretrieveFromStrategy
.Proof of Concept
In other cross chain functions,
ICommonData.IApproval[] approvals
serves to pass signature to a remote chain. However, in functionretrieveFromStrategy
, this param is missing. User will need to approve YieldBox for TOFT contract manually on the remote chain.The approval is needed at
_retrieveFromYieldBox
.Tools Used
Manual
Recommended Mitigation Steps
Add
ICommonData.IApproval[] approvals
and function_callApproval
.Assessed type
Other