Closed c4-bot-2 closed 10 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
It's simply hexadecimal(ascii("Ether")), no address is entailed.
0xA5DF marked the issue as unsatisfactory: Invalid
The specific concern is that the custom Ether address might coincidentally match an actual Ethereum contract address due to the probabilistic nature of Ethereum address generation.
This is as likely as finding the private key to the zero address
Lines of code
https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/adapters/CurveTricryptoAdapter.sol#L100
Vulnerability details
Impact
The hardcoded custom representation of Ether in the Shell Protocol's adapter for the Curve Tricrypto pool (using address(0x4574686572)), deviates from standard Ethereum practices and introduces the risk of address collisions. This could potentially lead to operational issues within the protocol, such as incorrect token handling or unintended interactions with other contracts.
Proof of Concept
The specific concern is that the custom Ether address might coincidentally match an actual Ethereum contract address due to the probabilistic nature of Ethereum address generation. This can result in:
Tools Used
Recommended Mitigation Steps
Assessed type
Access Control