stake.link

stake.link
DeFiHardhatBridge
27,500 USDC
View results
Submission Details
Severity: high
Invalid

SDLPoolPrimary::`migrate()` cannot be called by any address

Summary

The migrate() of SDLPoolPrimary.sol contract cannot be called by any address ever which disabled the migration logic forever.

Vulnerability Details

The migrate() looks like this:

function migrate(
address _sender,
uint256 _amount,
uint64 _lockingDuration
) external {
if (msg.sender != delegatorPool) revert SenderNotAuthorized();
sdlToken.safeTransferFrom(delegatorPool, address(this), _amount);
_storeNewLock(_sender, _amount, _lockingDuration);
}

There is a check : if (msg.sender != delegatorPool) revert SenderNotAuthorized(); which checks whether the caller is delegatorPool or not, if not then it will revert by SenderNotAuthorized().
The problem is delegatorPool was declared but any address was not assigned to it. In constructor it is checking that if delegatorPool is equal to address(0) then __SDLPoolBase_init() is called otherwise ccipController will be assigned to it. But as delegatorPool was not initialized by any address so it is always address(0), so ccipController will not be assigned to it instead __SDLPoolBase_init() will be called.

So as migrate() will only be called by delegatorPool and as the delegatorPool is always zero address then the all calls to migrate() will be reverted because address(0) cannot initiate any transaction.

POC

In this test:

it('test migrate', async () => {
const zeroAddress = ethers.constants.AddressZero;
const dummyContractAddress = "0x6fCc6eB7F78cf146A4ABEED5Aa8b8260ca115B6C";
assert.equal(await sdlPool.delegatorPool(), zeroAddress);
await expect(sdlPool.connect(dummyContractAddress).migrate(sdlPool.address, 100, 100000)).to.be.reverted
await expect(sdlPool.connect(signers[1]).migrate(sdlPool.address, 100, 100000)).to.be.reverted
})

You can see that the address of delegatorPool is address(0) & themigrate() cannot be called by any contract or EOA.

Impact

Migration feature is disabled forever.

Tools Used

Manual analysis.

Recommendations

Have a function to set the delegatorPool address by a privileged user or set it using initialize().

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.