nevillehuang
commented
3 months ago Invalid, each marketId corresponds to a unique LenderCommitmentGroup_Smart contract address, so this is a non-issue
Closed sherlock-admin4 closed 4 months ago
nevillehuang
commented
3 months ago Invalid, each marketId corresponds to a unique LenderCommitmentGroup_Smart contract address, so this is a non-issue
0xrobsol
medium
Uniqueness Violation in Market ID Assignment During Contract Initialization
Summary
The initialization function of the contract allows setting a marketId without checking its uniqueness. This oversight could lead to potential conflicts or overwrites in market configurations if the same marketId is reused inadvertently.
Vulnerability Detail
The contract's initialize function accepts a marketId parameter intended to uniquely identify a market configuration. However, there is no mechanism in place to verify whether the marketId has been previously set. As a result, it's possible to set up multiple markets with the same ID, leading to data integrity issues and unpredictable contract behavior.
Impact
If multiple market configurations use the same marketId, it could result in several undesirable outcomes:
Data Overwrite: New market configurations could unintentionally overwrite existing configurations.
Operational Confusion: Users and administrative functions might operate on incorrect market data, leading to errors in transaction processing or market management.
Security Risks: Reuse of market IDs could be exploited by malicious actors aware of the issue, potentially manipulating market operations or extracting unauthorized benefits.
Code Snippet
https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L186
Tool used
Manual Review
Recommendation
To mitigate this vulnerability and prevent potential issues associated with non-unique marketIds, implement one or more of the following measures:
Uniqueness Check: Introduce a check to ensure that each marketId can only be used once. This could involve maintaining a mapping of used IDs and checking against it during initialization.
require(!marketExists[_marketId], "Market ID already exists"); marketExists[_marketId] = true;ID Generation: Consider implementing a system for automatic marketId generation to ensure uniqueness, such as using a sequential counter or a hash of relevant parameters.