shalbe-cvg
commented
1 year ago Hello, Thanks a lot for your attention.
We are not concerned by this use case, risk is assumed. We have so to consider this issue as Invalid.
Open hats-bug-reporter[bot] opened 1 year ago
shalbe-cvg
commented
1 year ago Hello, Thanks a lot for your attention.
We are not concerned by this use case, risk is assumed. We have so to consider this issue as Invalid.
Github username: -- Submission hash (on-chain): 0xf736378ed6fdb57e898c42c8afae09bbf74dedae147304f1ab01fbcc6d454b3b Severity: medium
Description: Description\ using
createcan cause many issuesAttack Scenario\
With CREATE the address is determined by the factory contract's nonce. Everytime CREATE is called in the factory, its nonce is increased by 1.
This approach is very controversial and the recent hack with Optimism was just related to this. https://rekt.news/wintermute-rekt/
With CREATE2, the address is determined by an arbitrary salt value and the init_code.
The big advantage of CREATE2 is that the destination address is not dependent on the exact state (i.e. the nonce) of the factory when it's called. This allows transaction results to be simulated off-chain, which is an important part of many state channel based approaches to scaling.
Recommendation use
create2instead ofcreateto deployhttps://docs.openzeppelin.com/cli/2.8/deploying-with-create2