Platform: Code4rena
Start Date: 17/06/2021
Pot Size: $60,000 USDC
Total HM: 12
Participants: 12
Period: 7 days
Judge: LSDan
Total Solo HM: 8
Id: 14
League: ETH
Rank: 8/12
Findings: 1
Award: $582.70
π Selected for report: 1
π Solo Findings: 0
π Selected for report: GalloDaSballo
582.701 USDC - $582.70
GalloDaSballo
The assumption that a yield source is valid, just because it has the method depositToken is not a security guarantee
I could create any random contract, with that function, that is not a guarantee that the contract will behave as intended
I believe a better solution would be to have a registry, controlled by governance, that accepts the valid yield sources.
A valid registry ensures the the yield sources are properly maintained.
In summary: There is no security difference between having the check and not having the check, because the check can be sidelined without any effort and doesnβt truly provide any guarantee of the contract being valid.
No checks would save you gas
While having a governance registry would guarantee that the yield sources usable are exclusively the community vetted ones.
#0 - asselstine
2021-06-26T18:40:33Z
It's possible for a malicious developer to fork our code and create a pool with a rugging yield source. That can't really be helped either way.
We decide which pools to display on https://app.pooltogether.com, so we can vet pools already.