No way to set CURVE_POOL approval after setting new curve pool address #165
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L157-L160
Vulnerability details
Impact
Staking.setCurvePool()
allows the owner to set a newCURVE_POOL
address, however, there is no way to set token approvals to the new address. The only calls totoken.approve()
are found in the constructor. Therefore, there's no true way to set a new curve pool. All calls toICurvePool(CURVE_POOL).exchange()
will fail.Tools Used
Manual review.
Recommended Mitigation Steps
Set approvals for the new curve pool address in the same
setCurvePool()
function.The text was updated successfully, but these errors were encountered: