stake.link

DeFiHardhatBridge

27,500 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

SDLPoolPrimary::`migrate()` cannot be called by any address

0xAbinash

Summary

The migrate() of SDLPoolPrimary.sol contract cannot be called by any address ever which disabled the migration logic forever.

Vulnerability Details

The migrate() looks like this:

function migrate(

address _sender,

uint256 _amount,

uint64 _lockingDuration

) external {

if (msg.sender != delegatorPool) revert SenderNotAuthorized();

sdlToken.safeTransferFrom(delegatorPool, address(this), _amount);

_storeNewLock(_sender, _amount, _lockingDuration);

}

There is a check : if (msg.sender != delegatorPool) revert SenderNotAuthorized(); which checks whether the caller is delegatorPool or not, if not then it will revert by SenderNotAuthorized().
The problem is delegatorPool was declared but any address was not assigned to it. In constructor it is checking that if delegatorPool is equal to address(0) then __SDLPoolBase_init() is called otherwise ccipController will be assigned to it. But as delegatorPool was not initialized by any address so it is always address(0), so ccipController will not be assigned to it instead __SDLPoolBase_init() will be called.

So as migrate() will only be called by delegatorPool and as the delegatorPool is always zero address then the all calls to migrate() will be reverted because address(0) cannot initiate any transaction.

POC

In this test:

it('test migrate', async () => {

const zeroAddress = ethers.constants.AddressZero;

const dummyContractAddress = "0x6fCc6eB7F78cf146A4ABEED5Aa8b8260ca115B6C";

assert.equal(await sdlPool.delegatorPool(), zeroAddress);

await expect(sdlPool.connect(dummyContractAddress).migrate(sdlPool.address, 100, 100000)).to.be.reverted

await expect(sdlPool.connect(signers[1]).migrate(sdlPool.address, 100, 100000)).to.be.reverted

})

You can see that the address of delegatorPool is address(0) & themigrate() cannot be called by any contract or EOA.

Impact

Migration feature is disabled forever.

Tools Used

Manual analysis.

Recommendations

Have a function to set the delegatorPool address by a privileged user or set it using initialize().

Updates

Lead Judging Commences

0kage Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

27,500 USDC

nSLOC

1,414

19 USDC / LOC

High Medium

25,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.