code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L182-L186

Vulnerability details

Explanation

addDerivative function is used to add a specified contract address as a new derivative. However, since the function doesn't perform any address validation, it may allow the same address to be defined twice or to be defined zero address by mistake. This could mislead investors' calculations and lead to undesirable consequences in the contract. Therefore, it's important to add address validation to the function to prevent the same address from being defined multiple times or zero address to be applied.

Proof of Concept

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L182-L186

Tools Used

Manuel review & Slither & MythX

Recommended Mitigation Steps

The following implementation can be applied to fix the issue.

function addDerivative(
    address _contractAddress,
    uint256 _weight
) external onlyOwner {
    require(_contractAddress != address(0), "Given address is not valid");
    for (uint256 i = 0; i < derivativeCount; i++)
         derivatives[derivativeCount] != IDerivative(_contractAddress);
    derivatives[derivativeCount] = IDerivative(_contractAddress);
    weights[derivativeCount] = _weight;
    derivativeCount++;

    uint256 localTotalWeight;
    for (uint256 i = 0; i < derivativeCount; i++)
        localTotalWeight += weights[i];
    totalWeight = localTotalWeight;
    emit DerivativeAdded(_contractAddress, _weight, derivativeCount);
}

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as low quality report

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as duplicate of #302

c4-judge commented 1 year ago

Picodes changed the severity to QA (Quality Assurance)

code-423n4 / 2023-03-asymmetry-findings