Closed howlbot-integration[bot] closed 1 month ago
https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/base/FactoryNFT.sol#L181-L204
Take a look at https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/base/FactoryNFT.sol#L181-L204
function getChainName() internal view returns (string memory) { if (block.chainid == 1) { return "Ethereum Mainnet"; } else if (block.chainid == 56) { return "BNB Smart Chain Mainnet"; } else if (block.chainid == 42161) { return "Arbitrum One"; } else if (block.chainid == 8453) { return "Base"; } else if (block.chainid == 43114) { return "Avalanche C-Chain"; } else if (block.chainid == 137) { return "Polygon Mainnet"; } else if (block.chainid == 10) { return "OP Mainnet"; } else if (block.chainid == 42220) { return "Celo Mainnet"; } else if (block.chainid == 238) {//@audit return "Blast Mainnet"; } else { return LibString.toString(block.chainid); } }
Evidently attempt of getting the chain name checks the current block chainId and then attaches it, it's name.
Now note that this function is used in multiple instances in protocol, from generating the SVG of the NFTs and what not, as confirmed by this search command: https://github.com/search?q=repo%3Acode-423n4%2F2024-06-panoptic%20getChainName&type=code
Problem however, is that this implementation doesn't work as expected on the blast chain due to the protocol using a wrong chain ID for blast mainnet.
Going to the official Blast docs: https://docs.blast.io/building/network-information
We can see that that the correct chainId for the blast mainnet should be 81457, see the below:
81457
The above would mean that generating SVG info would not work as expected on the Blast mainnet unlike other chains.
Generating SVGs would be broken for the Blast mainnet.
Consider applying these changes to https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/base/FactoryNFT.sol#L181-L204
function getChainName() internal view returns (string memory) { if (block.chainid == 1) { return "Ethereum Mainnet"; } else if (block.chainid == 56) { return "BNB Smart Chain Mainnet"; } else if (block.chainid == 42161) { return "Arbitrum One"; } else if (block.chainid == 8453) { return "Base"; } else if (block.chainid == 43114) { return "Avalanche C-Chain"; } else if (block.chainid == 137) { return "Polygon Mainnet"; } else if (block.chainid == 10) { return "OP Mainnet"; } else if (block.chainid == 42220) { return "Celo Mainnet"; - } else if (block.chainid == 238) { + } else if (block.chainid == 81457) { return "Blast Mainnet"; } else { return LibString.toString(block.chainid); } }
Context
Picodes marked the issue as unsatisfactory: Out of scope
Out of scope per the scoping precisions of the readme
Lines of code
https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/base/FactoryNFT.sol#L181-L204
Vulnerability details
Proof of Concept
Take a look at https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/base/FactoryNFT.sol#L181-L204
Evidently attempt of getting the chain name checks the current block chainId and then attaches it, it's name.
Now note that this function is used in multiple instances in protocol, from generating the SVG of the NFTs and what not, as confirmed by this search command: https://github.com/search?q=repo%3Acode-423n4%2F2024-06-panoptic%20getChainName&type=code
Problem however, is that this implementation doesn't work as expected on the blast chain due to the protocol using a wrong chain ID for blast mainnet.
Going to the official Blast docs: https://docs.blast.io/building/network-information
We can see that that the correct chainId for the blast mainnet should be![](https://cdn.discordapp.com/attachments/1235966308542185483/1249503254648459346/Screenshot_2024-06-10_at_02.19.44.png?ex=66678a16&is=66663896&hm=0a0f4d267b9d36e0b89384d7e4325e6f62e40cdf52477dc475dd1385142df5d2&)
81457
, see the below:The above would mean that generating SVG info would not work as expected on the Blast mainnet unlike other chains.
Impact
Generating SVGs would be broken for the Blast mainnet.
Recommended Mitigation Steps
Consider applying these changes to https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/base/FactoryNFT.sol#L181-L204
Assessed type
Context