The function supportToken does not configure the yield mode
Description
During the initialization, the contract BfxU uses the mapping rebasingTokens to record whether a token is rebasing. If the token is rebasing, it then calls its function configure to set the yield mode.
function initialize(
// [...]
address _defaultToken,
uint256 _minDeposit,
bool _rebasing,
address[] memory _otherTokens,
uint256[] memory _minDeposits,
bool[] memory _rebasingTokens
) public initializer {
// [...]
defaultToken = _defaultToken;
IERC20Rebasing(_defaultToken).configure(YieldMode.CLAIMABLE);
supportedTokens[_defaultToken] = true;
rebasingTokens[_defaultToken] = _rebasing;
if (_rebasing) {
IERC20Rebasing(_defaultToken).configure(YieldMode.CLAIMABLE);
}
minDeposits[_defaultToken] = _minDeposit;
for (uint256 i = 0; i < _otherTokens.length; i++) {
address token = _otherTokens[i];
supportedTokens[token] = true;
minDeposits[token] = _minDeposits[i];
rebasingTokens[token] = _rebasingTokens[i];
if (_rebasingTokens[i]) {
IERC20Rebasing(token).configure(YieldMode.CLAIMABLE);
}
}
// [...]
}However, when adding a token through the function supportToken, it does not record whether the token is rebasing, nor does it configure the yield mode.
function supportToken(
address token,
uint256 minDeposit
) external onlyOwner {
supportedTokens[token] = true;
minDeposits[token] = minDeposit;
emit SupportToken(token, minDeposit);
}Impact
For the native token on Blast, the yield will be lost if the yield mode is not configured.
For a stable token on Blast, if it is rebasing, the default yield mode will cause balance rebases. But the contract BfxU does not support rebasing tokens, which causes issues with internal accounting.
Recommendations
Consider adding a rebasing parameter to the function supportToken, recording its value to rebasingTokens, and configuring the yield mode when rebasing is true.
Remediation
This issue has been acknowledged by RabbitX, and a fix was implemented in commit a7fa5c60↗.