Hardcoded addresses

[rotcivegaf]

Affected smart contract

• https://github.com/LodestarFinance/lodestar-protocol/blob/cfca1ae275d023a02198798bbcb24b2a1f646776/contracts/Comptroller.sol#L1550
• https://github.com/LodestarFinance/lodestar-protocol/blob/cfca1ae275d023a02198798bbcb24b2a1f646776/contracts/CToken.sol#L473
• https://github.com/LodestarFinance/lodestar-protocol/blob/cfca1ae275d023a02198798bbcb24b2a1f646776/contracts/CToken.sol#L585

Description

The addresses on arbitrum:

• 0x21Dbd0C4f580e636aBc68327669A15239C82eee0 of function getCompAddress on contract Comptroller
• 0x67E57A0ec37768eaF99a364975ec4E1f98920D01 of function redeemBehalfInternal on contract CToken
• 0xB371BB8c9073E84FD54e0d8697816329397E743b of function borrowBehalfInternal on contract CToken

There are hardcoded and are not the ones used on the mainnet, as a example the getCompAddress should be the 0xF19547f9ED24aA66b03c3a552D181Ae334FBb8DB Also the address of the Whitelist should be the same

Attack scenario

Forgetting one or more of this three addresses could be broke the deploy/contracts, getting funds stuck in these contracts and other possible errors

Recommendation

Define this addresses in constructor