UniSwap V3 `SwapRouter`'s contract address is hardcoded in the contract `Fees`
Summary
UniSwap V3 SwapRouter's contract address is hardcoded in the contract Fees
Vulnerability Details
The address of the SwapRouter contract is hardcoded into the contract Fees. The contract is truly deployed at this address on Mainnet, Goerli, Arbitrum, Optimism and Polygon. In the future UniSwap may deploy the SwapRouter contract to other chains and there is no guarantee that it will be deployed at the same address. Should Beedle ever decide to deploy this protocol on some other chain on which UniSwap V3 SwapRouter contract is deployed at different address, the contract Fees will be broken as the SwapRouter will not be on the hardcoded address and the swapping functionality will not work. In such case the Fees contract should be redeployed with another address that is the actual address of the SwapRouter contract on the target chain.
Currently, the SwapRouter contract is deployed on the Celo chain at different address that the hardcoded one. Should Beedle deploy on Celo, the Fees contract functionality will be broken and redeployment (which is always a hassle and associated with additional money spent on deployment) will be needed.
Impact
Fees contract will be broken on chains on which SwapRouter is deployed at different address than the hardcoded one.
Tools Used
Manual review
Recommendations
Use deployment scripts and chain specific configurations when deploying to different chains. Hardcoding addresses in contracts as
done in Fees is almost never the most appropriate solution.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.