Closed c4-submissions closed 10 months ago
https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/CamelotRelayer.sol#L20 https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/UniV3Relayer.sol#L18
Protocol will not work on arbitrum due to hardcoded _UNI_V3_FACTORY and _CAMELOT_FACTORY contract addresses
_UNI_V3_FACTORY
_CAMELOT_FACTORY
_CAMELOT_FACTORY in the CamelotRelayer is hardcoded as:
CamelotRelayer
address constant GOERLI_CAMELOT_V3_FACTORY = 0x5Cd40c7E21A15E7FC2503Fffd77cF70c60628F6C; // AlgebraFactory
But this address is the AlgebraFactory address in goerli arbitrium, but it is not on arbitrum:
https://arbiscan.io/address/0x5Cd40c7E21A15E7FC2503Fffd77cF70c60628F6C
Note: Same for _UNI_V3_FACTORY
https://arbiscan.io/address/0x4893376342d5D7b3e31d4184c08b265e5aB2A3f6
Manual review
Use valid addresses for _UNI_V3_FACTORY and _CAMELOT_FACTORY
Other
raymondfam marked the issue as low quality report
raymondfam marked the issue as duplicate of #119
MiloTruck marked the issue as satisfactory
Lines of code
https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/CamelotRelayer.sol#L20 https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/UniV3Relayer.sol#L18
Vulnerability details
Impact
Protocol will not work on arbitrum due to hardcoded
_UNI_V3_FACTORY
and_CAMELOT_FACTORY
contract addressesProof of Concept
_CAMELOT_FACTORY
in theCamelotRelayer
is hardcoded as:But this address is the AlgebraFactory address in goerli arbitrium, but it is not on arbitrum:
Note: Same for
_UNI_V3_FACTORY
Tools Used
Manual review
Recommended Mitigation Steps
Use valid addresses for
_UNI_V3_FACTORY
and_CAMELOT_FACTORY
Assessed type
Other