Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Hardcoded Router Address May Cause Token Lockup in Non-Standard Networks

b353n

Summary

This audit report provides an assessment of the contract containing the hardcoded router address for token swaps. The router address is set to "0xE592427A0AEce92De3Edee1F18E0157C05861564" and refers to a specific instance of ISwapRouter. The hardcoded router address can cause issues when deployed on networks where this address does not correspond to the appropriate Uniswap router. In such cases, tokens may become locked in the protocol indefinitely, preventing withdrawals and potentially leading to financial losses.

Vulnerability Details

The contract contains the following line of code with the hardcoded router address:

ISwapRouter public constant swapRouter = ISwapRouter(0xE592427A0AEce92De3Edee1F18E0157C05861564);

The hardcoded address "0xE592427A0AEce92De3Edee1F18E0157C05861564" points to a specific instance of the Uniswap Router contract. In a situation where the contract is deployed on networks with a different Uniswap router address, token swaps may not function as intended. This can result in tokens becoming locked in the protocol, leaving users unable to withdraw their tokens except for WETH and TKN (protocol token).

Impact

The presence of the hardcoded router address can lead to token lockup issues when the contract is deployed on networks with a non-standard Uniswap router. Tokens sent to the contract for swapping purposes may not be routed correctly, potentially resulting in funds being locked in the protocol forever. This can result in users losing access to their tokens and can have severe financial consequences for affected users and the protocol.

Tools Used

VSCODE, Manual Review

Recommendations

To ensure compatibility and flexibility across different networks, it is recommended to implement a more dynamic approach for setting the router address. Instead of hardcoding the router address, the contract should allow the router address to be set during deployment or provide a mechanism for the contract owner to update the router address post-deployment.

Option 1: Constructor Argument
Allow the router address to be passed as an argument during contract deployment. This way, the contract can be deployed with the appropriate router address for each network.

constructor(address _swapRouter) {

require(_swapRouter != address(0), "Invalid router address");

swapRouter = ISwapRouter(_swapRouter);

}

Option 2: Admin Function
Implement an administrative function that allows the contract owner to update the router address after deployment. Ensure that only the contract owner can access and execute this function to prevent unauthorized changes.

address public swapRouter;

function setSwapRouter(address _newRouter) public onlyOwner {

require(_newRouter != address(0), "Invalid router address");

swapRouter = ISwapRouter(_newRouter);

}

By implementing one of these options, the contract will be able to adapt to different networks and use the appropriate router address for token swaps, avoiding potential token lockup issues.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.