Yieldy: After updating curve pool, no more instantUnstakeCurve possible #133
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
Lines of code
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L79-L80
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L157-L160
Vulnerability details
Impact
After updating the curve pool using
setCurvePool
, one cannot useinstantUnstakeCurve
anymore, becauseTOKE_POOL
is not approved to the new curve pool.There is no other way to approve, so the
instantUnstakeCurve
functionality cannot be used with any new curve pool. When no curve pool was set in theinitialize
function, then there is no way to use theinstantUnstakeCurve
functionality.Proof of Concept
This proof of concept demonstrates that the
instantUnstakeCurve
reverts after the curve pool is updated.The set up for the proof of concept is almost identical to the test/stakingTest.ts except the curve pool was set to zero in the initialize.
Then the curve pool was updated by calling the
setCurvePool
function, then attempt to callinstantUnstakeCurve
, which reverts.Tools Used
hardhat
Recommended Mitigation Steps
Add the approve logic to the setCurvePool or setToAndFromCurve. Also consider adding logic to un-approve the previous curve pool, just in case the curve pool might be compromised.
The text was updated successfully, but these errors were encountered: