search

code-423n4 / 2024-08-wildcat-findings

3 stars 1 forks source link

`WildcatArchController::updateSphereXEngineOnRegisteredContracts` will never execute because `sphereXEngine` is set as `address(0)` and never updated. #99

Closed howlbot-integration[bot] closed 2 months ago

howlbot-integration[bot] commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/WildcatArchController.sol#L84

Vulnerability details

Impact

The WildcatArchController::updateSphereXEngineOnRegisteredContracts updates SphereX engine on registered contracts and add them as allowed senders on the engine contract. In this function there is a sole conditional if statement that ensures sphereXEngine != address(0)

//src/WildcatArchController
//ln#84

  function updateSphereXEngineOnRegisteredContracts(
    address[] calldata controllerFactories,
    address[] calldata controllers,
    address[] calldata markets
  ) external spherexOnlyOperatorOrAdmin {
    address engineAddress = sphereXEngine(); //@audit Will return 0.
    bytes memory changeSphereXEngineCalldata = abi.encodeWithSelector(
      ISphereXProtectedRegisteredBase.changeSphereXEngine.selector,
      engineAddress
    );
    bytes memory addAllowedSenderOnChainCalldata;
    if (engineAddress != address(0)) { //@ audit won't work as engine is a hardcoded `address(0)` with no implemented method to update `engine` address
      addAllowedSenderOnChainCalldata = abi.encodeWithSelector(
        ISphereXEngine.addAllowedSenderOnChain.selector,
        address(0)
      );
    }

//SNIPPED

}

But in the WildcatArchController::constructor the SphereXConfig is initialiazed by providing its constructor arguments as so

//src/WildcatArchController
//ln#61-63
//@audit                      admin       operator    engine
constructor() SphereXConfig(msg.sender, address(0), address(0)) {  //@audit SphereXConffig `engine` set as 0
    _initializeOwner(msg.sender);
  }

Thus this line address engineAddress = sphereXEngine(); will return 0.

The impact of this is that WildcatArchController::updateSphereXEngineOnRegisteredContracts might never execute.

Tools Used

Manual review.

Recommended Mitigation Steps

Perform either of the following

Assessed type

Other

c4-judge commented 1 month ago

3docSec marked the issue as unsatisfactory: Insufficient proof