Unexpected user can make deposit if training variable is not setted to true
Summary
Unexpected user can make deposit if training variable is not setted to true
Vulnerability Detail
Training is used in the deposit function. When true the maximum amount a user can deposit is capped to maxTrainingDeposit and only whitelisted addresses will be able to deposit. This will be true at launch. When everything is working correctly it will be set to false. Before the 'taste' phase of the protocol unexpected user can make deposit.
Impact
The training storage variable should be setted to false when everything is working correctly but before that should be true. Unexpected user can make deposit before the variable to be setted to true because by default variable is false and is not initillized in constructor.
gkrastenov
medium
Unexpected user can make deposit if training variable is not setted to true
Summary
Unexpected user can make deposit if training variable is not setted to true
Vulnerability Detail
Training
is used in thedeposit
function. When true the maximum amount a user can deposit is capped tomaxTrainingDeposit
and only whitelisted addresses will be able to deposit. This will be true at launch. When everything is working correctly it will be set to false. Before the 'taste' phase of the protocol unexpected user can make deposit.Impact
The
training
storage variable should be setted to false when everything is working correctly but before that should be true. Unexpected user can make deposit before the variable to be setted to true because by default variable is false and is not initillized in constructor.Code Snippet
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/MainVault.sol#L110
Tool used
Manual Review
Recommendation
Set variable to be true in constructor.