RewardFactory Manual Review Findings

RFY-01M: Redundant Re-Invocation Capability

Description:

The linked function initializes sensitive contract variables and as such should be invoked only once.

Example:

Copy
33function setImpl(
34    address _RewardPoolImpl,
35    address _virtualBalanceRewardPoolimpl
36) public {
37    require(msg.sender == IBooster(booster).owner(), "!auth");
38    RewardPoolImpl = _RewardPoolImpl;
39    virtualBalanceRewardPoolimpl = _virtualBalanceRewardPoolimpl;
40}

Recommendation:

We advise this to be enforced via a require check that ensures the implementations haven't already been set.

Alleviation:

The Echidna Finance team stated that they wish to be able to update the reward pool implementations if needed and as such, this functionality will remain in the codebase.