search

sherlock-audit / 2023-04-ajna-judging

4 stars 3 forks source link

devival - Overriding AJNA token address in GrantFund.sol constructor #69

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

devival

medium

Overriding AJNA token address in GrantFund.sol constructor

Summary

GrantFund.sol deployer will have to override the hardcoded AJNA address in Storage.sol.

Vulnerability Detail

GrantFund constructor updates ajnaTokenAddress in the Storage contract which is deployed earlier than GrantFund.

Impact

Assigning value to ajnaTokenAddress in Storage has no sense as it is being overridden in the GrantFund constructor. Deployer HAS to provide a token address to the constructor again. If passed wrong token address at deployment, the contract will not work.

Code Snippet

Storage.sol#L55 

address public ajnaTokenAddress =
        0x9a96ec9B57Fb64FbC60B423d1f4da7691Bd35079;

GrantFund.sol#L46

    constructor(address ajnaToken_) {
        ajnaTokenAddress = ajnaToken_;
    }

Tool used

Manual Review

Recommendation

Pick one: a) Remove hardcoding ajnaTokenAddress in Storage.sol b) Remove the constructor from GrantFund.sol