frank-beard
commented
3 years ago not an exploit
Open code423n4 opened 3 years ago
frank-beard
commented
3 years ago not an exploit
GalloDaSballo
commented
2 years ago Non critical
Handle
0xRajeev
Vulnerability details
Impact
Currently, only the basket tokenName is emitted in an event during proposeBasketLicense() which as reported in another finding can be duplicated by the publisher because there are no checks to the name proposed.
It may help to emit unique basketIDs generated by the protocol so offchain monitoring can correlate the basket names with basket IDs to monitor fake/duplicate tokens. It would even better to consider emitting an event with token/weight details for offchain monitoring/verification.
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Factory.sol#L87
Tools Used
Manual Analysis
Recommended Mitigation Steps
Consider emitting an event with basket ID and token/weight composition for offchain monitoring/verification.