search

sherlock-audit / 2024-04-titles-judging

12 stars 9 forks source link

Dots - Hardcoded ETH_ADDRESS could make problems on other blockchains #198

Closed sherlock-admin3 closed 6 months ago

sherlock-admin3 commented 6 months ago

Dots

medium

Hardcoded ETH_ADDRESS could make problems on other blockchains

Summary

The ETH address is hardcoded in the Common.sol contract.

Vulnerability Detail

As stated in the README.md, the protocol is going to be deployed on the following blockchains - Ethereum, Base, OP, Zora, Blast, Arbitrum, zkSync, Degen. The specific address 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE used to represent native ETH on Ethereum may not be directly applicable or recognized as representing the native token on other EVM-compatible blockchains.

Impact

Protocol will not work on most of the supported blockchains.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/shared/Common.sol#L31

address constant ETH_ADDRESS = address(0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE);

Tool used

Manual Review

Recommendation

Implement a way to not have the ETH_ADDRESS as a constant

ccashwell commented 6 months ago

This is not valid, the address constant is only used internally and with the 0xSplits protocol which hardcodes the same address as specified by ERC7528.