search

hats-finance / Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777

IBO, Vesting & Bond mecanism repo prepared for Hat finance audit competition
0 stars 0 forks source link

Use of hardcoded address may cause issues on different chains #59

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @Madalad Submission hash (on-chain): 0xbed8d2273ee6cc1b0945acab6754aaeb375053d1a205281e4ef38ab6082368c9 Severity: low

Description: Description\ In CvgOracle.sol, the state variable WETH is set to a hardcoded value representing the WETH address on Ethereum mainnet. This means that the contract is incompatible with all other EVM chains, and even if it is not intended to be deployed elsewhere at the present time, it is still best practice to avoid hardcoded addresses to ensure contracts are future proof.

Attack Scenario\ WETH address will be incorrect on any chain other than mainnet, meaning CvgOracle is unable to fetch ETH price, severely limiting the usability of the oracle and introducing consequences in other areas of the protocol that rely on the oracle.

Line of code: https://github.com/Cvg-Finance/hats-audit/blob/main/contracts/Oracles/CvgOracle.sol#L35

Recommendation\ Pass the WETH address as a parameter in the constructor of CvgOracle, and change the WETH state variable from constant to immutable:

-   IERC20Metadata constant WETH = IERC20Metadata(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2);
+   IERC20Metadata immutable WETH;

-   constructor(address treasuryDao) {
+   constructor(address treasuryDao, address _weth) {
        /// @dev Transfer ownership to multisig
        _transferOwnership(treasuryDao);
+     WETH = IERC20Metadata(_weth);
    }
walk-on-me commented 1 year ago

Hello, Thanks a lot for your attention.

We don't plan to deploy Convergence bonds on L2 at all

We have to so to consider the issue as Invalid