search

code-423n4 / 2024-02-wise-lending-findings

11 stars 8 forks source link

Initialization of PendlePowerFarmToken can be frontrun leading to DOS. #172

Closed c4-bot-8 closed 6 months ago

c4-bot-8 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmToken.sol#L682

Vulnerability details

Details

PendlePowerFarmToken is initialized through PendlePowerFarmToken.initialize which sets the parameters of the token including the underlying PendlePowerFarm market address, tokenname, symbol and maxcardinality. Additionally, the function checks if these have already been set and reverts if already set. The PendlePowerFarmTokenFactory initializes this token contract after deploying with a create2.

file: contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmToken.sol
 function initialize(
        address _underlyingPendleMarket,
        address _pendleController,
        string memory _tokenName,
        string memory _symbolName,
        uint16 _maxCardinality
    )
        external
    {
        if (address(PENDLE_MARKET) != address(0)) {
            revert AlreadyInitialized();
        }

        PENDLE_MARKET = IPendleMarket(
            _underlyingPendleMarket
        ); 
 ....................................................
}

## Impact
This function can be frontrun prior to deployment or even after deployment where a malicious user can set a false powerfarm address, tokenname, symbol or maxcardinality of this token. This would lead to a DOS where a new token contract would need to be deployed costing grief and costs to protocol owners.

## Proof of Concept
The initialize function is called by the `PendlePowerFarmTokenFactory` after deployment. However, the issue comes because the initialize function does not contain an access control where only the `PendlePowerFarmTokenFactory` can call it, allowing any user to call this function and initializing the pendle token. Once this is set once, due to checks in the function, this would no longer be able to be set by the pendle token factory. 

## Tools Used
Manual review

## Recommended Mitigation Steps
1. Allow only the `PendlePowerFarmTokenFactory` to call the initialize function.

```diff
 function initialize(
        address _underlyingPendleMarket,
        address _pendleController,
        string memory _tokenName,
        string memory _symbolName,
        uint16 _maxCardinality
    )
        external
    {
+       if(msg.sender != address(PendlePowerFarmTokenFactory) {
             revert; 
        } 

        if (address(PENDLE_MARKET) != address(0)) {
            revert AlreadyInitialized();
        }

        PENDLE_MARKET = IPendleMarket(
            _underlyingPendleMarket
        );

Assessed type

DoS

c4-bot-1 commented 6 months ago

Withdrawn by forgebyola