Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Wrong token contract address in deployment script can lead to deploying with wrong address and wrecking the protocol.

kral01

Summary

I'm completely aware that the deployment scripts are not in scope but hear me out:

I don't know if the same deployment script is going to be used when this codebase gets deployed to mainnet or just add other things to it while not bothering to check the address, either way is gonna cause an issue (if you/ protocol team think that its the case then give me this high severity issue, come on). Enough chit chat lets get into it.

Nothing much, the contract address of jpycv2 is wrong in the HelperConfig: :getPolygonConfig() of HelperConfig.sol.
The given contract address can be viewed in polygonscan here.

Vulnerability Details

File HelperConfig.sol

function getPolygonConfig() public view returns (NetworkConfig memory) {

// real addresses

address[] memory arr = new address[](3);

arr[0] = 0x431D5dfF03120AFA4bDf332c61A6e1766eF37BDB; // jpyc v2 on polygon

arr[1] = 0x2370f9d504c7a6E775bf6E14B3F12846b594cD53; // jpyc v1 on polygon @audit this is not the jpyc v2 contract address on polygon

//The comment is messed up too, but its okay, values are correctly returned

arr[2] = 0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174; // usdc on polygon

// arr[3] = 0xc2132D05D31c914a87C6611C10748AEb04B58e8F; // usdt on polygon

return NetworkConfig({

jpycv1Address: arr[0],

jpycv2Address: arr[1],

usdcAddress: arr[2],

usdtAddress: address(0),

deployerKey: vm.envUint("PRIVATE_KEY")

});

}

Impact

Since wrong token address is used, it can lead to tokens being send to non-desirable contract and can cause lockup of funds and also breaking the system in cases where it uses jpyc v2.

Tools Used

Manual review

Recommendations

Just add the correct contract address for the token and you are good to go, and oh you might want to uncomment the contract address for usdt which is the correct contract address. Even though its not used in tests, the array slot return zero address now ig??.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.