The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Contract creation utilizing wrong address

thedoctor

Summary

The protocol sets the liquidation pool manager in this SmartVaultManagerV5.sol

function setProtocolAddress(address _protocol) external onlyOwner() {

protocol = _protocol;

}

The multisig treasury is set in LiquidationPoolManager::constructor

constructor(address _TST, address _EUROs, address _smartVaultManager, address _eurUsd, address payable _protocol, uint32 _poolFeePercentage) {

pool = address(new LiquidationPool(_TST, _EUROs, _eurUsd, ISmartVaultManager(_smartVaultManager).tokenManager()));

TST = _TST;

EUROs = _EUROs;

smartVaultManager = _smartVaultManager;

protocol = _protocol; // @audit multisig

poolFeePercentage = _poolFeePercentage;

}

Impact

Deployer has a high chance of deploying to the wrong address with funds redirected to it.

Tools Used

Manual Review

Recommendations

Change the naming convention used in the LiquidationPoolManager from protocol to multisig while in the SmartVaultManagerV5 to LiquidationManager

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

informational/invalid

thedoctor Submitter

almost 2 years ago

hrishibhat Lead Judge

over 1 year ago

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.