Closed sherlock-admin closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid: the mistake of the admin is considered invalid according to sherlocks rule; but had the code being implemented to be like that then this would hvae been a valid issue
xiaoming90
medium
Unauthorised or malicious base pool
Summary
During the deployment of the AMM pool, there was no check being performed to ensure that the base pool was deployed by CurveTricryptoFactory.
Vulnerability Detail
Within the
deploy
function, Item 1 of the checklist (Line 66) stated that it should check that the Base pool is deployed by CurveTricryptoFactory.Items 2 and 3 if the checklist has been implemented at Line 69-76. However, no check was being performed for Item 1 of the checklist within the function. As a result, an admin might intentionally or accidentally configure the base pool that is not deployed by CurveTricryptoFactory. A malicious admin might use a specially crafted base pool contract to trick users into depositing into the malicious contract.
https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/PoolFactory.sol#L50
Per the contest's README page, it stated that the admin/owner is "RESTRICTED".
Per the Sherlock's judging documentation, it mentioned that:
For this specific issue, the restriction has been outlined in the comment on Line 66 above.
Impact
Loss of assets for the victims.
Code Snippet
https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/PoolFactory.sol#L50
Tool used
Manual Review
Recommendation
Consider combining the deployment of Curve's base pool via CurveTricryptoFactory with the deployment of the AMM pool so that the returned deployed base pool address from the CurveTricryptoFactory can be assigned to the AMM directly.