Use immutable variables for settings that will be configured at deploy time

[code423n4]

Handle

WatchPug

Vulnerability details

https://github.com/Badger-Finance/badger-ibbtc-utility-zaps/blob/a5c71b72222d84b6414ca0339ed1761dc79fe56e/contracts/SettToRenIbbtcZap.sol#L32-L45

    IERC20Upgradeable public constant WBTC =
        IERC20Upgradeable(0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599);
    IERC20Upgradeable public constant RENBTC =
        IERC20Upgradeable(0xEB4C2781e4ebA804CE9a9803C67d0893436bB27D);
    IERC20Upgradeable public constant IBBTC =
        IERC20Upgradeable(0xc4E15973E6fF2A35cC804c2CF9D2a1b817a8b40F);

    IZapRenWBTC public constant IBBTC_MINT_ZAP =
        IZapRenWBTC(0xe8E40093017A3A55B5c2BC3E9CA6a4d208c07734);

    ISett public constant RENCRV_SETT =
        ISett(0x6dEf55d2e18486B9dDfaA075bc4e4EE0B28c1545);
    address public constant WBTC_YEARN_SETT =
        0x4b92d19c11435614CD49Af1b589001b7c08cD4D5;

The address of WBTC, RENBTC, IBBTC may differ on different networks.

Recommendation

Change to:

IERC20Upgradeable public immutable WBTC;
IERC20Upgradeable public immutable RENBTC;
IERC20Upgradeable public immutable IBBTC;

IZapRenWBTC public immutable IBBTC_MINT_ZAP;

ISett public immutable RENCRV_SETT;
address public immutable WBTC_YEARN_SETT;

constructor(
    address _WBTC,
    address _RENBTC,
    address _IBBTC,

    address _IBBTC_MINT_ZAP,
    address _RENCRV_SETT,
    address _WBTC_YEARN_SETT
) {
    WBTC = IERC20Upgradeable(_WBTC);
    RENBTC = IERC20Upgradeable(_RENBTC);
    IBBTC = IERC20Upgradeable(_IBBTC);

    IBBTC_MINT_ZAP = IZapRenWBTC(_IBBTC_MINT_ZAP);
    RENCRV_SETT =  ISett(_RENCRV_SETT);
    WBTC_YEARN_SETT =  ISett(_WBTC_YEARN_SETT);
}

[GalloDaSballo]

Disagree with the finding, ibBTC and the setts are a mainnet product, we are not aiming for multichain for the zaps and have never mentioned that

[0xleastwood]

agree with sponsor, marking as invalid