First Flight #4: Boss Bridge
First Flight #4
Beginner FriendlyFoundryBridge
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

No check on return value of create

0xepley

Summary

No check on the return value of create can have any unintended consequences.

Vulnerability Details

In deployToken function we are using create to deploy a new ERC20 contract but the catch here is that there is no check on the return value of create. If due to any reason create fail it will return 0. and if we see the code of deployToken which is as follow

function deployToken(string memory symbol, bytes memory contractBytecode) public onlyOwner returns (address addr) {
assembly {
addr := create(0, add(contractBytecode, 0x20), mload(contractBytecode)) //@audit - no check on return value, could be 0
}
s_tokenToAddress[symbol] = addr;
emit TokenDeployed(symbol, addr);
}

Then we can see that there isn't any kind of check on the return value, the code is always assuming that the create is successful.
Then the code is storing the return value of create which should be instead an address in the s_tokenToAddress mapping

Impact

Since is deployed ERC20 token is being used in the protocol,failure to deploy it and assuming that its successfully deployed will cause many unintended consequences.

Tools Used

Manual review

Recommendations

I recommend checking the return condition of create

Updates

Lead Judging Commences

0xnevi Lead Judge
about 2 years ago
0xnevi Lead Judge about 2 years ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.