Closed code423n4 closed 2 years ago
0xRajeev
For Auction:initialize(), there is no need to pass Factory.address as an argument when Auction.initialize() can determine that by using msg.sender just like Basket.initialize(). These initialize functions are only called by the Factory contract.
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L47-L52
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Factory.sol#L100-L101
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol#L39
Manual Analysis
Remove the second parameter of factory address for Auction.initialize() function.
Duplicate of #137
Handle
0xRajeev
Vulnerability details
Impact
For Auction:initialize(), there is no need to pass Factory.address as an argument when Auction.initialize() can determine that by using msg.sender just like Basket.initialize(). These initialize functions are only called by the Factory contract.
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L47-L52
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Factory.sol#L100-L101
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol#L39
Tools Used
Manual Analysis
Recommended Mitigation Steps
Remove the second parameter of factory address for Auction.initialize() function.