Skip to content

Wrong aave usage of claimRewards #49

New issue
New issue
Open
Open
Wrong aave usage of claimRewards#49
Labels
2 (Med Risk)bugSomething isn't workingsponsor confirmed
@code423n4

Description

@code423n4
code423n4
opened on Aug 11, 2021

Handle

jonah1005

Vulnerability details

Impact

Aave yield manager claims rewards with the payment token. According to aave's document, aToken should be provided.
The aave rewards would be unclaimable.

Proof of Concept

YieldManager's logic:
https://github.com/code-423n4/2021-08-floatcapital/blob/main/contracts/contracts/YieldManagerAave.sol#L161-L170

Reference:
https://docs.aave.com/developers/guides/liquidity-mining#claimrewards

Tools Used

None

Recommended Mitigation Steps

Change to

    address[] memory rewardsDepositedAssets = new address[](1);
    rewardsDepositedAssets[0] = address(aToken);

Metadata

Metadata

Assignees

No one assigned

    Labels

    2 (Med Risk)bugSomething isn't workingsponsor confirmed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions