Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $50,000 USDC
Total HM: 31
Participants: 99
Period: 5 days
Judges: moose-code, JasoonS, denhampreen
Total Solo HM: 17
Id: 139
League: ETH
Rank: 39/99
Findings: 2
Award: $125.60
🌟 Selected for report: 1
🚀 Solo Findings: 0
🌟 Selected for report: 0xDjango
Also found by: BowTiedWardens, Metatron, cccz, hansfriese, shung, ych18, zzzitron
72.4441 USDC - $72.44
Staking.setCurvePool() allows the owner to set a new CURVE_POOL address, however, there is no way to set token approvals to the new address. The only calls to token.approve() are found in the constructor. Therefore, there's no true way to set a new curve pool. All calls to ICurvePool(CURVE_POOL).exchange() will fail.
Manual review.
Set approvals for the new curve pool address in the same setCurvePool() function.
#0 - toshiSat
2022-06-27T21:52:47Z
duplicate #133
🌟 Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xmint, Bnke0x0, BowTiedWardens, Chom, ElKu, FudgyDRS, Funen, GalloDaSballo, GimelSec, JC, Kaiziron, Lambda, Limbooo, Metatron, MiloTruck, Noah3o6, Picodes, PumpkingWok, PwnedNoMore, Sm4rty, StErMi, TomJ, TrungOre, UnusualTurtle, Waze, _Adam, aga7hokakological, ak1, antonttc, berndartmueller, cccz, cryptphi, csanuragjain, defsec, delfin454000, dipp, elprofesor, exd0tpy, fatherOfBlocks, hake, hansfriese, hubble, joestakey, kenta, ladboy233, mics, oyc_109, pashov, pedr02b2, reassor, robee, samruna, scaraven, shung, sikorico, simon135, sseefried, tchkvsky, unforgiven, zzzitron
53.1558 USDC - $53.16
It's probably not likely that the Yieldy token is upgraded to a version that does not revert on failure, but if that happens, users may lose funds when claiming.