c4-judge
commented
1 year ago 0xean changed the severity to QA (Quality Assurance)
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago 0xean changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago 0xean marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Factories/VTokenProxyFactory.sol#L31 https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Pool/PoolRegistry.sol#L230
Vulnerability details
Impact
abi.encodeWithSelector doesn't provide type checking which can cause wrong data to be passed either accidently by user or intentionally by a malicious actor. Data passed through abi.encodeWithSelector is not checked for type matching and function will complete without being able to return error.
Proof of Concept
Wrong data also can go unnoticed even after being recorded in block as result will be unexpected. The reason is due to function abi.encodeWithSelector will execute wrong data type check this article for details.
Tools Used
Manual Review
Recommended Mitigation Steps
Recommendation is made for using abi.encodeCall to enhance data type check accuracy.
Assessed type
Invalid Validation