search

code-423n4 / 2023-01-numoen-findings

0 stars 0 forks source link

The same Lendgine can be created #217

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-numoen/blob/main/src/core/Factory.sol#L63-L88

Vulnerability details

Impact

It is possible to create Lendgine with the same tokens but in a different order - (token0, token1) and (token1, token0). The function createLendgine() is modified from Uniswap function createPair(), and it has only one check:

if (getLendgine[token0][token1][token0Exp][token1Exp][upperBound] != address(0)) revert DeployedError();

But it does not have token sorting like in Uniswap, so, a single check is insufficient.

Proof of Concept

  function testDeployedError2() external {
    factory.createLendgine(address(1), address(2), 18, 18, 1e18);

    vm.expectRevert(Factory.DeployedError.selector);
    factory.createLendgine(address(2), address(1), 18, 18, 1e18); //same tokens in different order
  }

Tools Used

Manual review.

Recommended Mitigation Steps

Before this check, sort the two tokens by address:

 if (token0 > token1) { 
            address tmp = token0;
            token0 = token1;
            token1 = tmp;
            uint8 tmpExp = token0Exp;
            token0Exp = token1Exp;
            token1Exp = tmpExp;
        }
c4-judge commented 1 year ago

berndartmueller marked the issue as duplicate of #275

c4-judge commented 1 year ago

berndartmueller changed the severity to QA (Quality Assurance)