Closed c4-bot-7 closed 5 months ago
GalloDaSballo marked the issue as sufficient quality report
Seems valid
GalloDaSballo marked the issue as primary issue
depending on chain only one is used at a time so it is no issue and is up to admin to set correct address
trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarm/PendlePowerFarmDeclarations.sol#L196-L202
Vulnerability details
Impact
In the constructor of
PendlePowerFarmDeclarations.sol
, both Curve and the Uniswap router are set to the same address. However, they have different addresses, bytecode, and available function selectors, hence calls to which ever is wrong would revert. They are also immutable, hence they cannot be modified.Proof of Concept
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarm/PendlePowerFarmDeclarations.sol#L196-L203
Tools Used
Manual Review
Recommended Mitigation Steps
Pass in the appropriate addresses as parameters
Assessed type
Error