Unnecessary validation in Bera_Module::bera_infrared_stake should follow standard pattern
bera_infrared_stake calls validateToken(vault) and approves the token to the vault, but the token approval is unnecessary (the stake call does not pull tokens) and the validateToken on a vault address is the wrong shape. The standard pattern used by TraderV0::approve handles vault validation cleanly elsewhere.
Description
In Bera_Module::bera_infrared_stake, there is a call to validateToken(vault):
function bera_infrared_stake(address vault, address token, uint256 amount) externalonlyRole(EXECUTOR_ROLE) nonReentrant {validateToken(vault); // @audit unnecessaryIERC20(token).approve(vault, amount);IInfraredVault(vault).stake(amount);}
This is unusual because the validation is applied to vault rather than token. Additionally, the check is unnecessary since the token must already be present in the contract, and for that to happen, it must be included in allowedTokens.
However, the validateToken(vault) function does serve a purpose: it prevents the trader from using a malicious vault contract. Therefore, the target should still be validated, but using a more appropriate approach. This pattern is already established in other parts of the codebase, where the validation is performed inside the TraderV0::approve function. To maintain consistency, we suggest following the same approach here.
Consider removing both the validateToken(vault) call and the approval altogether:
function bera_infrared_stake(address vault, address token, uint256 amount) externalonlyRole(EXECUTOR_ROLE) nonReentrant {- validateToken(vault);- IERC20(token).approve(vault, amount);IInfraredVault(vault).stake(amount);}
Resolution
D2: Fixed in b0c4c4b.
Cyfrin: Verified.