c4-pre-sort
commented
1 year ago minhquanym marked the issue as duplicate of #52
Open code423n4 opened 1 year ago
c4-pre-sort
commented
1 year ago minhquanym marked the issue as duplicate of #52
c4-judge
commented
1 year ago dmvt changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago dmvt marked the issue as grade-b
c4-judge
commented
1 year ago dmvt marked the issue as grade-a
Lines of code
https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies-audit/blob/05ba7108a83c66dada98bc5bc75cf18004f2a49b/contracts/curve/TricryptoNativeStrategy.sol#L141-L146
Vulnerability details
Impact
Detailed description of the impact of this finding. TricryptoNativeStrategy will stop working after after a new lpGetter is set by setTricryptoLPGetter(). The main problem is that when a new lpGetter is set, one needs to set allowance
IERC20(lpGetter.lpToken()).approve(_lpGetter, type(uint256).max)for TricryptoNativeStrategy. However, functionsetTricryptoLPGetter()fails to do that.Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
TricryptoNativeStrategy.setTricryptoLPGetter() allows the contract owner to set a new lpGetter.
https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies-audit/blob/05ba7108a83c66dada98bc5bc75cf18004f2a49b/contracts/curve/TricryptoNativeStrategy.sol#L141-L146
However, it does not approve a new max allownace of the lpToken to the new lpGetter. As a result, TricryptoNativeStrategy will stop working after after a new lpGetter is set by setTricryptoLPGetter().
Tools Used
VSCode
Recommended Mitigation Steps
We need to add statement
IERC20(lpGetter.lpToken()).approve(_lpGetter, type(uint256).max)to set allowance for the new _lpGetter.Assessed type
Governance