Open c4-submissions opened 1 year ago
raymondfam marked the issue as low quality report
Informational low, but will let the sponsor look into it.
raymondfam marked the issue as primary issue
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #477
gzeon-c4 changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/PoolManager.sol#L235-L255
Vulnerability details
Impact
All currencies are mapped to one EVM address, which should not be the case as some currencies have different addresses on different EVM chains
Proof of Concept
Take a look at the PoolManager.sol#L235-L255
As seen from code implementation and the comments it's seen that currencies are only linked to one EVM address which is wrong, since some currencies currently have more than one EVM address, i.e on different addresses for the same currency on different chains with multiple popular stable coins being an example of this, which makes this an issue since interacting with the same currency on different EVM chains could lead to unexpected nuances.
Tool used
Manual Review
Recommended Mitigation Steps
Mapping of currencies to their EVM addresses needs to be refactored and take into account the fact that some currencies have more than one EVM address
Assessed type
Context