Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Yieldy: After updating curve pool, no more instantUnstakeCurve possible #133

Closed
code423n4 opened this issue Jun 26, 2022 · 1 comment
Closed

Yieldy: After updating curve pool, no more instantUnstakeCurve possible #133

code423n4 opened this issue Jun 26, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L79-L80
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L157-L160

Vulnerability details

Impact

After updating the curve pool using setCurvePool, one cannot use instantUnstakeCurve anymore, because TOKE_POOL is not approved to the new curve pool.
There is no other way to approve, so the instantUnstakeCurve functionality cannot be used with any new curve pool. When no curve pool was set in the initialize function, then there is no way to use the instantUnstakeCurve functionality.

Proof of Concept

This proof of concept demonstrates that the instantUnstakeCurve reverts after the curve pool is updated.
The set up for the proof of concept is almost identical to the test/stakingTest.ts except the curve pool was set to zero in the initialize.
Then the curve pool was updated by calling the setCurvePool function, then attempt to call instantUnstakeCurve, which reverts.

Tools Used

hardhat

Recommended Mitigation Steps

Add the approve logic to the setCurvePool or setToAndFromCurve. Also consider adding logic to un-approve the previous curve pool, just in case the curve pool might be compromised.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 26, 2022
code423n4 added a commit that referenced this issue Jun 26, 2022
@code423n4
zzzitron issue #133
ebce878
@toshiSat toshiSat mentioned this issue Jun 27, 2022
Open
@toshiSat toshiSat added the duplicate This issue or pull request already exists label Jun 27, 2022
@toshiSat
Copy link
Collaborator

duplicate #165

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@toshiSat @code423n4 @itsmetechjay