Mathepreneur
commented
2 years ago Does this mean we have to pre-calculate the address and do the isContract check? Or do we simply wrap require(isContract(...)) the new TimeswapPair line?
Open code423n4 opened 2 years ago
Mathepreneur
commented
2 years ago Does this mean we have to pre-calculate the address and do the isContract check? Or do we simply wrap require(isContract(...)) the new TimeswapPair line?
Handle
Tomio
Vulnerability details
Impact
no contract check in function createPair to check the address extcodesize/address.code.length whether is a contract or EOA
Proof of Concept
https://github.com/code-423n4/2022-01-timeswap/blob/main/Timeswap/Timeswap-V1-Core/contracts/TimeswapFactory.sol#L47
Tools Used
Recommended Mitigation Steps
add isContract function from https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/Address.sol#L36 in function createPair