search

code-423n4 / 2021-12-vader-findings

0 stars 0 forks source link

No check that constructor addresses are unique in LiquidityBasedTWAP.sol #89

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

jayjonah8

Vulnerability details

Impact

In LiquidityBasedTWAP.sol the constructor passes in _vader and _vaderPool as addresses to set in storage. It makes sure that they are not zero addresses but does not make sure they are unique or not the same as one another. This check should be added as a safe guard during deployment as it can prevent a costly mistake.

Proof of Concept

https://github.com/code-423n4/2021-12-vader/blob/main/contracts/lbt/LiquidityBasedTWAP.sol#L38

Tools Used

Manual code review

Recommended Mitigation Steps

Add Check: require(address(_vader) != address(_vaderPool), "Addresses must be unique")