Game.sol has the homeVault which is set the onlyDao.
It is not set in the constructor and separate function is used .
This homeVault plays crucial role in redeemNegativeRewards and redeemRewards. there are too many parameters need to be set by the owner/admin/munltisig/dao. By any chance if the homeVault is missed to set, then the rewards would end with dead vault.
ak1
medium
Game.sol : set
homeVaultinside the constructorSummary
Game.sol has the
homeVaultwhich is set theonlyDao.It is not set in the constructor and separate function is used .
This
homeVaultplays crucial role inredeemNegativeRewardsandredeemRewards. there are too many parameters need to be set by the owner/admin/munltisig/dao. By any chance if thehomeVaultis missed to set, then the rewards would end with dead vault.Vulnerability Detail
refer the summary section.
Impact
loss of rewards to the protocol
Code Snippet
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/Game.sol#L308
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/Game.sol#L552
Tool used
Manual Review
Recommendation
set the homevault paremeters in constructor itself like for other input parameters like dao and so.