search

code-423n4 / 2023-10-wildcat-findings

12 stars 9 forks source link

No Create2 Contract Deployment Check can prevent a borrower from deploying contracts from a factory if deployment fails #686

Closed c4-submissions closed 10 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/libraries/LibStoredInitCode.sol#L106-L117

Vulnerability details

Descripion

When a contract is deployed using Create2 the deployment can fail without causing a revert. The following conditions can cause it to not revert:

  1. A contract already exists at the destination address.
  2. Insufficient value to transfer.
  3. Sub context reverted.
  4. Insufficient gas to execute the initialisation code.
  5. Call depth limit reached.

When any of the conditions above occur the CREATE2 opcode completes execution without reverting but the contract will not be deployed.

The create2WithStoredInitCode in LibStoredInitCode and createEscrow in WildcatSanctionsSentinel don't have these checks.

Impact

create2WithStoredInitCode is used to deploy controllers and markets. If a controller deployment fails it is still recorded in the archController as a valid controller. The borrower won't be able to deploy a controller again and the initial one won't exist.

createEscrow is used to deploy escrows. If an escrow deployment fails. It will have to be deployed again.

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add a check that checks the code deployed at the contract address and reverts if it is empty. The codehash or codesize can be checked.

Assessed type

Other

c4-pre-sort commented 10 months ago

minhquanym marked the issue as duplicate of #28

c4-judge commented 10 months ago

MarioPoneder marked the issue as satisfactory