New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit fix 94 one approve #17
Conversation
contracts/SushiYieldSource.sol
Outdated
///@notice Approve SUSHI to spend infinite sushiBar (xSUSHI) | ||
/// @dev No initializer flag required | ||
function intialize() external { | ||
sushiAddr.safeApprove(address(sushiBar), type(uint256).max); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this safe or do we need the intiailizer modifier?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@asselstine Is it safe to have public access to this function?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, because the SushiBar is an immutable contract that is very simple
contracts/SushiYieldSource.sol
Outdated
|
||
///@notice Approve SUSHI to spend infinite sushiBar (xSUSHI) | ||
/// @dev No initializer flag required | ||
function intialize() external { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should really be called 'approveMax' or something
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added the function here: 40953c8
We need to use safeIncreaseAllowance
, otherwise approve
will always revert with SafeERC20: approve from non-zero to non-zero allowance
cause we've already approved the max amount in the constructor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, should we add the sponsor
and transferERC20
functions?
This way we gonna have to add the onlyOwnerOrAssetManager
modifier and we can then use the isOwner
function for approveMaxAmount
.
contracts/SushiYieldSource.sol
Outdated
|
||
mapping(address => uint256) public balances; | ||
|
||
constructor(ISushiBar _sushiBar, ISushi _sushiAddr) public { | ||
constructor(ISushiBar _sushiBar, IERC20 _sushiAddr) public { | ||
sushiBar = _sushiBar; | ||
sushiAddr = _sushiAddr; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should approve max here in the constructor as well, so that the yield source is ready
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done: 40953c8
4030e79
to
40953c8
Compare
contracts/SushiYieldSource.sol
Outdated
/// @return The actual amount of tokens that were redeemed. This may be different from the amount passed due to the fractional math involved. | ||
function redeemToken(uint256 amount) public override returns (uint256) { | ||
/// @return The actual amount of tokens that were redeemed. This may be different from the amount passed due to the fractional math involved. | ||
function redeemToken(uint256 amount) external override returns (uint256) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could use a reentrancy guard....is this covered elsewhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this PR yes: #10
40953c8
to
0e6c145
Compare
0e6c145
to
abf108f
Compare
abf108f
to
913afe2
Compare
as per code-423n4/2021-06-pooltogether-findings#94