search

code-423n4 / 2023-10-opendollar-findings

10 stars 7 forks source link

Protocol is will not work on arbitrum due to hardcoded _UNI_V3_FACTORY and _CAMELOT_FACTORY contract addresses #236

Closed c4-submissions closed 10 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/CamelotRelayer.sol#L20 https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/UniV3Relayer.sol#L18

Vulnerability details

Impact

Protocol will not work on arbitrum due to hardcoded _UNI_V3_FACTORY and _CAMELOT_FACTORY contract addresses

Proof of Concept

_CAMELOT_FACTORY in the CamelotRelayer is hardcoded as:

address constant GOERLI_CAMELOT_V3_FACTORY = 0x5Cd40c7E21A15E7FC2503Fffd77cF70c60628F6C; // AlgebraFactory

But this address is the AlgebraFactory address in goerli arbitrium, but it is not on arbitrum:

https://arbiscan.io/address/0x5Cd40c7E21A15E7FC2503Fffd77cF70c60628F6C

Note: Same for _UNI_V3_FACTORY

https://arbiscan.io/address/0x4893376342d5D7b3e31d4184c08b265e5aB2A3f6

Tools Used

Manual review

Recommended Mitigation Steps

Use valid addresses for _UNI_V3_FACTORY and _CAMELOT_FACTORY

Assessed type

Other

c4-pre-sort commented 10 months ago

raymondfam marked the issue as low quality report

c4-pre-sort commented 10 months ago

raymondfam marked the issue as duplicate of #119

c4-judge commented 10 months ago

MiloTruck marked the issue as satisfactory