Hardcoded WETH

[code423n4]

Handle

pauliax

Vulnerability details

Impact

WETH address is hardcoded but it may differ on other chains, e.g. Polygon, so make sure to check this before deploying and update if neccessary: address constant WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;

Recommended Mitigation Steps

You should consider injecting WETH address via the constructor.

[Ivshti]

removed mistakenly added duplicate/disagree with severity labels

[Ivshti]

resolved in https://github.com/AmbireTech/adex-protocol-eth/commit/03b6cf72c4c167b320133bc8ab0bd2d0e3ec5f65

[GalloDaSballo]

Agree with finding, the address of WETH can be different (and typically is) on different chain. The sponsor has mitigated