search

code-423n4 / 2024-01-curves-findings

1 stars 0 forks source link

Any user can deploy any creator's ERC20 token with default name and Symbol #1514

Closed c4-bot-10 closed 10 months ago

c4-bot-10 commented 10 months ago

Lines of code

https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L479-L483

Vulnerability details

function withdraw(address curvesTokenSubject, uint256 amount) public { if (amount > curvesTokenBalance[curvesTokenSubject][msg.sender]) revert InsufficientBalance(); // Adjusted to fix [M-02] issue if (externalCurvesTokens[curvesTokenSubject].token == address(0)) revert InvalidERC20Metadata();

    address externalToken = externalCurvesTokens[curvesTokenSubject].token;
    if (externalToken == address(0)) {
        if (
            keccak256(
                abi.encodePacked(
                    externalCurvesTokens[curvesTokenSubject].name
                )
            ) ==
            keccak256(abi.encodePacked("")) ||
            keccak256(
                abi.encodePacked(
                    externalCurvesTokens[curvesTokenSubject].symbol
                )
            ) ==
            keccak256(abi.encodePacked(""))
        ) {
            externalCurvesTokens[curvesTokenSubject].name = DEFAULT_NAME;
            externalCurvesTokens[curvesTokenSubject]
                .symbol = DEFAULT_SYMBOL;
        }
        _deployERC20(
            curvesTokenSubject,
            externalCurvesTokens[curvesTokenSubject].name,
            externalCurvesTokens[curvesTokenSubject].symbol
        );
        externalToken = externalCurvesTokens[curvesTokenSubject].token;
    }
    _transfer(curvesTokenSubject, msg.sender, address(this), amount);
    CurvesERC20(externalToken).mint(msg.sender, amount * 1 ether);
}

Assessed type

Context

c4-pre-sort commented 10 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 10 months ago

raymondfam marked the issue as duplicate of #339

c4-judge commented 9 months ago

alcueca marked the issue as satisfactory

c4-judge commented 9 months ago

alcueca marked the issue as partial-50

c4-judge commented 9 months ago

alcueca marked the issue as satisfactory

c4-judge commented 9 months ago

alcueca marked the issue as partial-75

alcueca commented 9 months ago

Poor quality, but correct.