The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing Interface Validation in Constructor Leads to Unverified `tokenManager` Assignment, Potentially Compromising The Contract Behaviour

0xdoko

Summary

The smart contract code lacks interface validation in the constructor, specifically during the assignment of the tokenManager variable. This oversight may result in the assignment of an address of a contract that doesn't have the required functionality(the function signatures declared in the ITokenManager interface) as the tokenManager, potentially compromising the execution and behavior of the entire contract.

Vulnerability Details

In the provided code, the constructor assigns an address to the tokenManager without verifying whether it adheres to the specified interface (ITokenManager). The problem is that when deploying the LiquidationPool contract, the deployer can provide a contract address for the tokenManager that doesn't have the implemented functionality that is required in the interface ITokenManager. If this happens, the code will result in a compilation error.

Impact

The impact of this vulnerability is significant, as it opens the possibility of interacting with a tokenManager that does not conform to the expected interface. This can lead to unexpected behaviour.

Tools Used

Mannual Review

Recommendations

Interface Validation: Implement a check in the constructor to ensure that the assigned tokenManager contract adheres to the specified ITokenManager interface. This can be achieved by calling the supportsInterface function or using a similar method to verify compatibility.

Here is how you can implement interface validation in the constructor:

constructor(address _TST, address _EUROs, address _eurUsd, address _tokenManager) {

TST = _TST;

EUROs = _EUROs;

eurUsd = _eurUsd;

+ require(

+ supportsInterface(_tokenManager, type(ITokenManager).interfaceId),

+ "Token manager does not support ITokenManager interface"

+ );

tokenManager = _tokenManager;

manager = payable(msg.sender);

}

+ // Check if a contract supports a specific interface

+ function supportsInterface(address _contract, bytes4 _interfaceId) internal view returns (bool) {

+ (bool success, bytes memory result) = _contract.staticcall(abi.encodeWithSelector(0x01ffc9a7, _interfaceId));

+ return success && (result.length > 0);

+ }

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.