Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of nonReentrant modifier in yield source contracts #119

Open
code423n4 opened this issue Jun 24, 2021 · 1 comment
Open

Lack of nonReentrant modifier in yield source contracts #119

code423n4 opened this issue Jun 24, 2021 · 1 comment
Assignees
@kamescg
Labels
1 (Low Risk) ATokenYieldSource BadgerYieldSource bug Something isn't working IdleYieldSource sponsor confirmed SushiYieldSource

Comments

@code423n4
Copy link
Contributor

Handle

shw

Vulnerability details

Impact

The YearnV2YieldSource contract prevents the supplyTokenTo, redeemToken, and sponsor functions from being reentered by applying a nonReentrant modifier. Since these contracts share a similar logic, adding a nonReentrant modifier to these functions in all of the yield source contracts is reasonable. However, the same protection is not seen in other yield source contracts.

Proof of Concept

A nonReentrant modifier in the following functions is missing:

  1. The sponsor function of ATokenYieldSource
  2. The supplyTokenTo and redeemToken function of BadgerYieldSource
  3. The sponsor function of IdleYieldSource
  4. The supplyTokenTo and redeemToken function of SushiYieldSource

Referenced code:
ATokenYieldSource.sol#L233
BadgerYieldSource.sol#L43
BadgerYieldSource.sol#L57
IdleYieldSource.sol#L150
SushiYieldSource.sol#L47
SushiYieldSource.sol#L66

Recommended Mitigation Steps

Add a nonReentrant modifier to these functions. For BadgerYieldSource and SushiYieldSource contracts, make them inherit from Openzeppelin's ReentrancyGuardUpgradeable to use the nonReentrant modifier.
@code423n4 code423n4 added 1 (Low Risk) bug Something isn't working labels Jun 24, 2021
code423n4 added a commit that referenced this issue Jun 24, 2021
@code423n4
shw issue #119
8077bd1
This was referenced Jun 24, 2021
Closed
Closed
Closed
@kamescg kamescg self-assigned this Jun 28, 2021
@kamescg
Copy link
Collaborator

kamescg commented Jun 28, 2021

ATokenYieldSource: https://github.com/pooltogether/aave-yield-source/tree/fix/119
SushiYieldSource: https://github.com/pooltogether/sushi-pooltogether/pull/new/fix/119
BadgerYieldSource: https://github.com/pooltogether/badger-yield-source/pull/new/fix/119
IdleYieldSource: https://github.com/pooltogether/idle-yield-source/pull/new/fix/119

This was referenced Jun 29, 2021
Merged
Merged
Merged
Merged
This was referenced Jul 12, 2021
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kamescg kamescg

Labels
1 (Low Risk) ATokenYieldSource BadgerYieldSource bug Something isn't working IdleYieldSource sponsor confirmed SushiYieldSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@PierrickGT @kamescg @asselstine @code423n4