Open code423n4 opened 2 years ago
Can't find a duplicate, @maxsam4?
Yeah, I can't find it anymore either. In any case, I don't see the issue here. If you assign 100% of the weight to 1 token, you obviously can't assign anything to other tokes so the deployment should and does fail.
Agree in part with the sponsor, I see this as a code clarity issue. The fact that there is no risk seems to be incidental, and not by design. Unclear in any case.
Handle
0xRajeev
Vulnerability details
Impact
MAX_WEIGHT and MAX_TOTAL_WEIGHT are both initialized to the same value of BASE * 50, in IndexPool, which means that a single token of MAX_WEIGHT is allowed but pool creation will fail because the MIN_WEIGHT of any other tokens added will exceed the MAX_TOTAL_WEIGHT for the pool. This will cause unexpected deployment failures if the deployer doesn’t account for such similarly initialized weight thresholds.
Proof of Concept
https://github.com/sushiswap/trident/blob/6bd4c053b6213ffc612987eb565aa3813d5f0d13/contracts/pool/IndexPool.sol#L30-L31
https://github.com/sushiswap/trident/blob/6bd4c053b6213ffc612987eb565aa3813d5f0d13/contracts/pool/IndexPool.sol#L70
https://github.com/sushiswap/trident/blob/6bd4c053b6213ffc612987eb565aa3813d5f0d13/contracts/pool/IndexPool.sol#L76
Tools Used
Manual Analysis
Recommended Mitigation Steps
Change MAX_TOTAL_WEIGHT to a different/higher value and check accordingly to make sure multiple tokens can be accommodated in the Index Pool with appropriate max/min/total weight thresholds.