Closed code423n4 closed 1 year ago
contested, it would be incredibly dangerous to allow a conduit controller to be updated and would introduce centralized control over the contract
Removed this link for the warden, focuspocus, as they were unaware that they can now edit their own submissions prior to contest end.
That's the whole point of the variable being immutable.... controller's not meant to change.
HickupHH3 marked the issue as unsatisfactory: Insufficient quality
Lines of code
https://github.com/ProjectOpenSea/seaport/blob/5de7302bc773d9821ba4759e47fc981680911ea0/contracts/lib/ConsiderationBase.sol#L40
Vulnerability details
Impact
_CONDUIT_CONTROLLER variable is immutable, meaning it cannot be reassigned to a different contract after the contract is deployed. This may be an issue if the original contract is no longer being maintained or if a different contract is needed for some reason.
Proof of Concept
One potential problem with this is that if the original contract that the _CONDUIT_CONTROLLER variable is set to during deployment is no longer being maintained or if a different contract is needed for some reason, there would be no way to update the variable to point to the new contract. This could cause issues with the functionality of the contract.
For example, imagine that the contract is being used in a decentralized exchange to facilitate token transfers. The original conduit controller contract that the _CONDUIT_CONTROLLER variable is set to during deployment is responsible for handling these token transfers. However, a security vulnerability is found in the original contract, and it is no longer being maintained. Without a way to update the _CONDUIT_CONTROLLER variable, the decentralized exchange would be unable to transfer tokens and could potentially lose a lot of money.
Tools Used
vs code
Recommended Mitigation Steps