Closed c4-bot-10 closed 2 months ago
Provisionally marking as satisfactory
3docSec marked the issue as satisfactory
3docSec marked the issue as selected for report
BSC chain have WBNB which is warped native with full function that our contract use
Invalid as per sponsor comment
3docSec marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-06-krystal-defi/blob/f65b381b258290653fa638019a5a134c4ef90ba8/src/Common.sol#L522-L533
Vulnerability details
Proof of Concept
First take a look at this excerpt from the readMe https://github.com/code-423n4/2024-06-krystal-defi/blob/f65b381b258290653fa638019a5a134c4ef90ba8/README.md#L101
We can see that a supported chain where Protocol plans on deploying to is the Binance smart chain.
Now, in multiple instances across contracts in scope we can see that there is an attempt to withdraw directly from the WETH implementation, i.e see how tokens are being transferred, by first unwrapping and then sending the
ETH
https://github.com/code-423n4/2024-06-krystal-defi/blob/f65b381b258290653fa638019a5a134c4ef90ba8/src/Common.sol#L522-L533Other instances across scope where this function gets used can be seen below
Where as this implementation works on most of the chains where the protocol is to deploy to, the query to
.withdraw()
would always fail on the Binance smart chain. This is because no WETH wrapper exists on BSC, also going to this helper site to get the addresses for WETH: https://www.coingecko.com/en/coins/weth we can see the different addresses for different chains, i.e0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
on the Mainnet &0x2170ed0880ac9a755fd29b2688956bd959f933f8
on BSCUsing the EVM contract reader tool: https://www.contractreader.io/contract, we can see that, whereas the .withdraw() function exists on the implementation on the mainnet, it doesn't exist on the BSC implementation.
Impact
Functionalities of the protocol & their availability would be impacted on the BSC chain where it's scheduled to be deployed, considering the instances where
IWETH.withdraw()
are currently queried in scope are from helper functions like_transferToken
that get used in other core functionalities, see instances where_transferToken
alone is being used in scope, with this search command: https://github.com/search?q=repo%3Acode-423n4%2F2024-06-krystal-defi%20_transferToken&type=code. Which showcases how not only swaps and their preparations via Common.sol would be bricked, but even executions in the V3Automation.solRecommended Mitigation Steps
Reconsider the deployment on BSC
Assessed type
Context