Open c4-bot-6 opened 7 months ago
I agree, we caught this issue a few days ago too. Blast had initially in their docs specified it should be address(0) instead of address(this) for gas claiming and we missed changing this in the audit commit freeze. Will agree to a Medium Risk bug for this, as it doesn't affect any user funds
0xleastwood marked the issue as primary issue
0xleastwood marked the issue as satisfactory
jooleseth (sponsor) acknowledged
jooleseth (sponsor) confirmed
0xleastwood marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2024-02-thruster/blob/3896779349f90a44b46f2646094cb34fffd7f66e/thruster-protocol/thruster-clmm/contracts/ThrusterPoolDeployer.sol#L45-L47
Vulnerability details
Impact
From the contest documentation:
However, the
ThrusterPoolDeployer
contains a flaw in the implementation ofclaimGas()
which will prevent it from ever claiming the gas it induces. The function attempts to claim gas for the zero address (address(0)
) instead of the deployer's own address (address(this)
):This misconfiguration prevents the
ThrusterPoolDeployer
from reclaiming any gas, as theIBlast.claimMaxGas()
call will always fail when provided with the zero address.Proof of Concept
https://github.com/blast-io/blast/blob/master/blast-optimism/packages/contracts-bedrock/src/L2/Blast.sol#L274-L283
Tools Used
Manual review
Recommended Mitigation Steps
Use
address(this)
rather than0
.Assessed type
Other