search

code-423n4 / 2024-02-wise-lending-findings

11 stars 8 forks source link

Same address set for Curve and Uniswap #210

Closed c4-bot-7 closed 5 months ago

c4-bot-7 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarm/PendlePowerFarmDeclarations.sol#L196-L202

Vulnerability details

Impact

In the constructor of PendlePowerFarmDeclarations.sol, both Curve and the Uniswap router are set to the same address. However, they have different addresses, bytecode, and available function selectors, hence calls to which ever is wrong would revert. They are also immutable, hence they cannot be modified.

Proof of Concept

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarm/PendlePowerFarmDeclarations.sol#L196-L203


        //@audit curve and uniswap have diff addresses

        CURVE = ICurve(
            _dexAddress
        );

        UNISWAP_V3_ROUTER = IUniswapV3(
            _dexAddress
        );

Tools Used

Manual Review

Recommended Mitigation Steps

Pass in the appropriate addresses as parameters

Assessed type

Error

c4-pre-sort commented 5 months ago

GalloDaSballo marked the issue as sufficient quality report

GalloDaSballo commented 5 months ago

Seems valid

c4-pre-sort commented 5 months ago

GalloDaSballo marked the issue as primary issue

vm06007 commented 5 months ago

depending on chain only one is used at a time so it is no issue and is up to admin to set correct address

c4-judge commented 5 months ago

trust1995 marked the issue as unsatisfactory: Invalid