search

code-423n4 / 2024-02-wise-lending-findings

11 stars 8 forks source link

Missing zero address check could have PendlePowerFarmToken contract re-initialized #239

Closed c4-bot-7 closed 5 months ago

c4-bot-7 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmToken.sol#L682-L687 https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmTokenFactory.sol#L102-L108 https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmController.sol#L211-L229

Vulnerability details

Impact

When PendlePowerFarmToken contract is deployed in the PendlePowerFarmTokenFactory contract in PendlePowerFarmTokenFactory.deploy(), it creates a new PendlePowerFarmToken contract and calls the initialize() function.

PendlePowerFarmToken(pendlePowerFarmTokenAddress).initialize(
            _underlyingPendleMarket,
            PENDLE_POWER_FARM_CONTROLLER,
            _tokenName,
            _symbolName,
            _maxCardinality
        );

The initialize() function in PendlePowerFarmToken initializes the PENDLE_MARKET , PENDLE_CONTROLLER, MAX_CARDINALITY , _name, _symbol, PENDLE_POWER_FARM_CONTROLLER , UNDERLYING_PENDLE_MARKET,and other state variables. https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmToken.sol#L682-L732

However, due to a missing a zero address check, it may be possible to re-initialize the state variables of PendlePowerFarmToken contract.

This is possible if the master address of the PNEDLE_POWER_FARM_CONTROLLER contract mistakenly calls PendlePowerFarmController.addPendleMarket() with a zero address as the _pendleMarket parameter https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmController.sol#L211-L229

function addPendleMarket(
        address _pendleMarket,
        string memory _tokenName,
        string memory _symbolName,
        uint16 _maxCardinality
    )
        external
        onlyMaster
    {
        if (pendleChildAddress[_pendleMarket] > ZERO_ADDRESS) {
            revert AlreadySet();
        }

        address pendleChild = PENDLE_POWER_FARM_TOKEN_FACTORY.deploy(
            _pendleMarket,
            _tokenName,
            _symbolName,
            _maxCardinality
        );

This action would inadvently create an opportunity for a malicious user monitoring the network and observed the PendlePowerFarmToken contract deployment to take advantage of the error to manipulate totalLpAssetsToDistribute and other state variables.

Tools Used

Manual

Recommended Mitigation Steps

apply a zero address check to ensure the contract is not initialized with a zero address at deployment.

Assessed type

Other

c4-pre-sort commented 5 months ago

GalloDaSballo marked the issue as insufficient quality report

GalloDaSballo commented 5 months ago

glorified 0 check

vm06007 commented 5 months ago

QA at best, so please disqualify this.

c4-judge commented 5 months ago

trust1995 marked the issue as unsatisfactory: Invalid