No Validation for `contractBytecode` enables potential creation of arbitrary contracts
Summary
The TokenFactory contract lacks validation for contractBytecode, potentially allowing the creation of arbitrary contracts instead of the specified ERC20 contract.
Vulnerability Details
While the TokenFactory contract is intended for creating contracts, there is no validation for the supplied contractBytecode. Despite documentation recommending the use of only L1Token.sol or its copies, users can manipulate the bytecode input, allowing the creation of arbitrary contracts.
Impact
If a malicious user exploits this vulnerability to create a token with malicious functions or one that does not adhere to the ERC20 standard, it could pose security risks or lead to unexpected behavior during token usage.
Tools Used
Manual Review
Recommendations
Consider implementing validation for the contractBytecode parameter or restricting the bytecode to conform to the expected L1Token contract, preventing the creation of arbitrary and potentially malicious contracts.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.