DeFiHardhatOracleProxyUpdates
100,000 USDC
View results
Submission Details
Severity: low
Invalid

Unsafe ABI Encoding

Summary

This findings report highlights instances of unsafe ABI encodings identified within the codebase. The occurrences are found in various contracts, including LibEvaluate.sol, LibGauge.sol, LibTokenSilo.sol, and LibWhitelist.sol. These unsafe ABI encodings pose a risk due to potential errors caused by lack of type safety and vulnerability to typos.

Vulnerability Details

LibEvaluate.sol (Line 331):
Unsafe ABI encoding is used on line 331 of LibEvaluate.sol.

bytes memory callData = abi.encodeWithSelector(lwSelector);

LibGauge.sol (Line 191):
Unsafe ABI encoding is used on line 191 of LibGauge.sol.

bytes memory callData = abi.encodeWithSelector(

LibTokenSilo.sol (Line 467, 469):
Unsafe ABI encoding is used on lines 467 and 469 of LibTokenSilo.sol.

callData = abi.encodeWithSelector(selector, amount);
} else if (encodeType == 0x01) {
callData = abi.encodeWithSelector(selector, token, amount);

LibWhitelist.sol (Line 236, 245):
Unsafe ABI encoding is used on lines 236 and 245 of LibWhitelist.sol.

(bool success, ) = address(this).staticcall(abi.encodeWithSelector(selector, 0, 0, 0));
(bool success, ) = address(this).staticcall(abi.encodeWithSelector(selector));

Impact

The usage of unsafe ABI encodings can lead to various risks, including:

Type Mismatch: Inappropriate parameter types passed to function calls can result in unexpected behavior or runtime errors.

Typo Vulnerabilities: Mistakes in function signatures due to typos can lead to unintended function calls or failures.

Security Risks: Lack of type safety and typo vulnerabilities increase the likelihood of contract vulnerabilities and potential exploits.

Tools Used

The findings were identified through manual code review and analysis. No specific automated tools were used for this assessment.

Recommendations

Replace with abi.encodeCall:
Consider replacing all instances of unsafe ABI encodings with abi.encodeCall. This method provides type safety by verifying whether the supplied values match the expected types of the called function parameters. It also reduces the risk of errors caused by typos.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.