Protocol will not work well with yield earning tokens that may have pause functionality like yTokens. Common stablecoin tokens with Pause functionality like USDC or USDT
Vulnerability Detail
yield earning tokens like yTokens from Yearn Finance e.g yETH, yDAI, yUSDC can be paused in certain cases e. g by governance. This implies all parts of protocol may not be able to send tokens in and out of protocol, transfer these tokens as expected
Impact
It will impact adding removing liquidity, swapping, skimming, returning funds to users and more aspect. e, g
uint256 prevBalance = pt.balanceOf(address(this));
uint256 underlyingUsed = INapierPool(pool).swapUnderlyingForPt(
index,
ptOutDesired,
address(this), // this contract will receive principal token from pool
data
);
pt.safeTransfer(recipient, pt.balanceOf(address(this)) - prevBalance);
return underlyingUsed;
It is recommended to maybe not allow these tokens as they are the only potential pausable yield bearing tokens or to add mechanisms that can allow handling of this special case or additionally keep track of Yearn Governance of issues to be ahead of any potential pause of tokens
MatricksDeCoder
medium
Protocol may not work well with pausable tokens
Summary
Protocol will not work well with yield earning tokens that may have pause functionality like yTokens. Common stablecoin tokens with Pause functionality like USDC or USDT
Vulnerability Detail
yield earning tokens like yTokens from Yearn Finance e.g yETH, yDAI, yUSDC can be paused in certain cases e. g by governance. This implies all parts of protocol may not be able to send tokens in and out of protocol, transfer these tokens as expected
Impact
It will impact adding removing liquidity, swapping, skimming, returning funds to users and more aspect. e, g
The following parts transferrring underlying token will fail https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierPool.sol#L284
Swapping bucket tokens for underlying will faill https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierPool.sol#L362
skimming of Napier Pool will fail https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierPool.sol#L533
Swapping with underlying token will fail https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L275
https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/TrancheRouter.sol#L53
Code Snippet
Tool used
Manual Review
Recommendation
It is recommended to maybe not allow these tokens as they are the only potential pausable yield bearing tokens or to add mechanisms that can allow handling of this special case or additionally keep track of Yearn Governance of issues to be ahead of any potential pause of tokens