Open code423n4 opened 2 years ago
WatchPug
https://github.com/code-423n4/2021-12-defiprotocol/blob/205d3766044171e325df6a8bf2e79b37856eece1/contracts/contracts/Auction.sol#L49-L57
function initialize(address basket_, address factory_) public override { require(address(factory) == address(0)); require(!initialized); basket = IBasket(basket_); factory = IFactory(factory_); initialized = true; }
Auction.sol#initialize() is using the factory_ parameter as the value of factory, while Basket.sol#initialize() uses msg.sender.
Auction.sol#initialize()
factory
Basket.sol#initialize()
msg.sender
https://github.com/code-423n4/2021-12-defiprotocol/blob/205d3766044171e325df6a8bf2e79b37856eece1/contracts/contracts/Basket.sol#L44-L61
function initialize(IFactory.Proposal memory proposal, IAuction auction_) external override { require(address(factory) == address(0)); require(!initialized); publisher = proposal.proposer; licenseFee = proposal.licenseFee; factory = IFactory(msg.sender); auction = auction_; ibRatio = BASE; tokens = proposal.tokens; weights = proposal.weights; maxSupply = proposal.maxSupply; approveUnderlying(address(auction)); __ERC20_init(proposal.tokenName, proposal.tokenSymbol); initialized = true; }
Consider changing to msg.sender and removing the factory_ parameter for the purpose of consistency and gas saving.
factory_
Handle
WatchPug
Vulnerability details
https://github.com/code-423n4/2021-12-defiprotocol/blob/205d3766044171e325df6a8bf2e79b37856eece1/contracts/contracts/Auction.sol#L49-L57
Auction.sol#initialize()is using the factory_ parameter as the value offactory, whileBasket.sol#initialize()usesmsg.sender.https://github.com/code-423n4/2021-12-defiprotocol/blob/205d3766044171e325df6a8bf2e79b37856eece1/contracts/contracts/Basket.sol#L44-L61
Consider changing to
msg.senderand removing thefactory_parameter for the purpose of consistency and gas saving.