It is possible to create Lendgine with the same tokens but in a different order - (token0, token1) and (token1, token0). The function createLendgine() is modified from Uniswap function createPair(), and it has only one check:
if (getLendgine[token0][token1][token0Exp][token1Exp][upperBound] != address(0)) revert DeployedError();
But it does not have token sorting like in Uniswap, so, a single check is insufficient.
Proof of Concept
function testDeployedError2() external {
factory.createLendgine(address(1), address(2), 18, 18, 1e18);
vm.expectRevert(Factory.DeployedError.selector);
factory.createLendgine(address(2), address(1), 18, 18, 1e18); //same tokens in different order
}
Tools Used
Manual review.
Recommended Mitigation Steps
Before this check, sort the two tokens by address:
Lines of code
https://github.com/code-423n4/2023-01-numoen/blob/main/src/core/Factory.sol#L63-L88
Vulnerability details
Impact
It is possible to create Lendgine with the same tokens but in a different order - (token0, token1) and (token1, token0). The function
createLendgine()
is modified from Uniswap functioncreatePair()
, and it has only one check:But it does not have token sorting like in Uniswap, so, a single check is insufficient.
Proof of Concept
Tools Used
Manual review.
Recommended Mitigation Steps
Before this check, sort the two tokens by address: