No checking whether the code is deployed on that address or not.
Vulnerability Detail
In TranchFactory.sol we have function deployTranche() to deploy the tranches using create2 from Create2TrancheLib library. The function does not revert properly if there is a failed contract deployment or revert from the create2 opcode as it does not properly check the returned address for bytecode. The create2 opcode returns the expected address which will never be the zero address and equal to the computed address(as is what is currently checked here).
function deployTranche(
address adapter,
uint256 maturity,
uint256 tilt,
uint256 issuanceFee
) external returns (address) {
if (msg.sender != management) revert OnlyManagement();
if (adapter == address(0)) revert ZeroAddress();
if (tranches[adapter][maturity] != address(0)) revert TrancheAlreadyExists();
if (maturity <= block.timestamp) revert MaturityInvalid();
if (tilt >= MAX_BPS) revert TiltTooHigh(); // tilt: [0, 100%) exclusive
if (issuanceFee > MAX_ISSUANCE_FEE_BPS) revert IssueanceFeeTooHigh(); // issuanceFee: [0, 5%] inclusive
// NOTE: computed Tranche address is used before deployed. it is ok if the YT doesn't call the tranche's methods in its constructor
address computedAddr = trancheFor(adapter, maturity);
YieldToken yt = new YieldToken(
computedAddr,
IBaseAdapter(adapter).underlying(),
IBaseAdapter(adapter).target(),
maturity
);
// store temporary variables
_tempArgs.adapter = adapter;
_tempArgs.maturity = maturity.toUint32();
_tempArgs.tilt = tilt.toUint16();
_tempArgs.issuanceFee = issuanceFee.toUint16();
_tempArgs.yt = address(yt);
// deploy PT with CREATE2 using adapter and maturity as salt
// receive callback to initialize the tranche
@> Tranche tranche = Create2TrancheLib.deploy(adapter, maturity);
@> if (computedAddr != address(tranche)) revert TrancheAddressMismatch();
// set back to zero-value for refund
delete _tempArgs;
// store the series
tranches[adapter][maturity] = address(tranche);
emit TrancheDeployed(maturity, address(tranche), address(yt));
return address(tranche);
}
But we are not checking whether the code is correctly deployed on that address or not.
Atharv
medium
Improper Validation of Create2 Return Value
Summary
No checking whether the code is deployed on that address or not.
Vulnerability Detail
In
TranchFactory.sol
we have functiondeployTranche()
to deploy the tranches usingcreate2
fromCreate2TrancheLib
library. The function does not revert properly if there is a failed contract deployment or revert from the create2 opcode as it does not properly check the returnedaddress for bytecode
. The create2 opcode returns the expected address which will never be the zero address and equal to the computed address(as is what is currently checked here).But we are not checking whether the code is correctly deployed on that address or not.
Previously raised similar issue on sherlock link.
Impact
adapter
andmaturity
value as code is not reverting and are storing the value here and checking it here.Code Snippet
Code
Tool used
Manual Review
Recommendation
The recommended mitigation is to check whether the code is deployed correctly to not by adding
require(extcodesize(address(tranche)) != 0 )
.