search

sherlock-audit / 2023-01-derby-judging

4 stars 1 forks source link

gkrastenov - Unexpected user can make deposit if training variable is not setted to true #374

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

gkrastenov

medium

Unexpected user can make deposit if training variable is not setted to true

Summary

Unexpected user can make deposit if training variable is not setted to true

Vulnerability Detail

Training is used in the deposit function. When true the maximum amount a user can deposit is capped to maxTrainingDeposit and only whitelisted addresses will be able to deposit. This will be true at launch. When everything is working correctly it will be set to false. Before the 'taste' phase of the protocol unexpected user can make deposit.

Impact

The training storage variable should be setted to false when everything is working correctly but before that should be true. Unexpected user can make deposit before the variable to be setted to true because by default variable is false and is not initillized in constructor.

Code Snippet

https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/MainVault.sol#L110

Tool used

Manual Review

Recommendation

Set variable to be true in constructor.

  constructor(
    string memory _name,
    string memory _symbol,
    uint8 _decimals,
    uint256 _vaultNumber,
    address _dao,
    address _game,
    address _controller,
    address _vaultCurrency,
    uint256 _uScale
  )
    VaultToken(_name, _symbol, _decimals)
    Vault(_vaultNumber, _dao, _controller, _vaultCurrency, _uScale)
  {
    training = true,
    exchangeRate = _uScale;
    game = _game;
    governanceFee = 0;
    maxDivergenceWithdraws = 1_000_000;
  }