First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

```TokenFactory::DeployToken()``` deploys always a singular type of token

kiteweb3

Summary

The TokenFactory::DeployToken() function, using the L1Token contractbytecode, consistently deploys tokens with identical name, symbol, and totalSupply values, as these parameters are hardcoded in the L1Token contract. Essentially, the DeployToken() can only deploy a singular type of token.

Vulnerability Details

//L1Token.sol

@> uint256 private constant INITIAL_SUPPLY = 1_000_000;

@> constructor() ERC20("BossBridgeToken", "BBT") {

_mint(msg.sender, INITIAL_SUPPLY * 10 ** decimals());

}

//TokenFactory.sol

@> function deployToken(string memory symbol, bytes memory contractBytecode) public onlyOwner returns (address addr) {

assembly {

addr := create(0, add(contractBytecode, 0x20), mload(contractBytecode))

}

s_tokenToAddress[symbol] = addr;

emit TokenDeployed(symbol, addr);

}

Impact

//All the deployed tokens have the same name, symbol and total supply

function testDeployedTokensHaveSameNameAndSymbol() public {

vm.prank(owner);

address tokenAddress_1 = tokenFactory.deployToken("FIRST TOKEN", type(L1Token).creationCode);

vm.prank(owner);

address tokenAddress_2 = tokenFactory.deployToken("SECOND TOKEN", type(L1Token).creationCode);

//The tokens have the same name

assertEq(

keccak256(abi.encodePacked(L1Token(tokenAddress_1).name())),

keccak256(abi.encodePacked(L1Token(tokenAddress_2).name()))

);

//The tokens have the same symbol

assertEq(

keccak256(abi.encodePacked(L1Token(tokenAddress_1).symbol())),

keccak256(abi.encodePacked(L1Token(tokenAddress_2).symbol()))

);

//The tokens have the same total supply.

assertEq(

keccak256(abi.encodePacked(L1Token(tokenAddress_1).totalSupply())),

keccak256(abi.encodePacked(L1Token(tokenAddress_2).totalSupply()))

);

}

Tools Used

Manual review.

Recommendations

Pass the name, the symbol and the total supply as parameters in the constructors.

contract L1Token is ERC20 {

- uint256 private constant INITIAL_SUPPLY = 1_000_000;

- constructor() ERC20("BossBridgeToken", "BBT") {

+ constructor(string memory name, string memory symbol, uint256 totalSupply) ERC20(name, symbol) {

_mint(msg.sender, totalSupply * 10 ** decimals());

}

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

deployToken: non-unique symbol for tokens

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.