Open code423n4 opened 2 years ago
phijfry
commented
2 years ago Based on the contracts that have been pointed out I can't see how this can lead to loss of funds as the severity suggests? Considering we are talking about compiled artifacts. Could the warden elaborate here?
0xMaharishi
commented
2 years ago This should be a 0 or 1 severity (being generous). There is no way for anything bad to happen here considering both the ABIs are different and used explicity
0xMaharishi
commented
2 years ago 
dmvt
commented
2 years ago This is definitely a code quality issue and a good report, but does not constitute a potential loss of funds or even disfunction in the protocol itself. Downgrading to QA.
Lines of code
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/CrvDepositorWrapper.sol#L9 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraStakingProxy.sol#L10
Vulnerability details
Impact
If a codebase has two contracts with the same names, the compilation artifacts will not contain one of the contracts.
ICrvDepositorexists in bothAuraStakingProxyandCrvDepositorWrapperTools
Manual Review
Recommended Mitigation Steps
Move the contract to an interface file and import it or if the interface differs rename one of the contracts.