First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Input Validation in deployToken function: Potential for Unexpected Behavior and Contract Creation Failure due to Empty String or Invalid Bytecode

azmaeengh

Summary

The deployToken function does not validate the symbol and contractBytecode inputs. This could lead to unexpected behavior if an empty string or invalid bytecode is passed.

Vulnerability Details

If an empty string is passed as the symbol, the token will not have a symbol. This could lead to confusion and difficulties when interacting with the token.

Similarly, if invalid bytecode is passed, the contract creation will fail, and the addr variable will be zero. This could lead to unexpected behavior and potential issues in the smart contract.

Impact

If an empty string or invalid bytecode is passed to the deployToken function, it could lead to unexpected behavior in the smart contract and the protocol that uses it.

Unexpected Behavior: If an empty string is passed as the symbol, the token will not have a symbol. This could lead to confusion and difficulties when interacting with the token. Similarly, if invalid bytecode is passed, the contract creation will fail, and the addr variable will be zero. This could lead to unexpected behavior and potential issues in the smart contract.
Contract Creation Failure: If invalid bytecode is passed, the contract creation will fail. This could lead to the loss of gas, as the gas used to attempt to create the contract will not be refunded. It could also lead to the loss of functionality in the protocol, as the new token will not be created.
Potential for Fraud: If a malicious actor or a bug in another contract passes an empty string or invalid bytecode, it could lead to potential fraud. For example, if a token used for governance or staking is created without a symbol, it could be manipulated by the attacker.

To mitigate these risks, it's crucial to add input validation to the deployToken function.

Tools Used

Recommendations

In the deployToken function, input validation could prevent issues like deploying a token with an empty symbol or with invalid contract bytecode. This can be achieved using the require function in Solidity, which checks if a condition is met and reverts the transaction if it's not.

Here's how you can add input validation to the deployToken function:

function deployToken(string memory symbol, bytes memory contractBytecode) public onlyOwner returns (address addr) {

+ require(bytes(symbol).length > 0, "Symbol cannot be empty");

+ require(contractBytecode.length > 0, "Contract bytecode cannot be empty");

assembly {

addr := create(0, add(contractBytecode, 0x20), mload(contractBytecode))

}

s_tokenToAddress[symbol] = addr;

emit TokenDeployed(symbol, addr);

}

In this improved version of the function, the require function is used to check if the symbol and contractBytecode inputs are not empty. If either of them is empty, the transaction is reverted and an error message is returned. This helps to prevent unexpected behavior and potential issues in the smart contract.

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Known issue

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.