Beginner FriendlyDeFiFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Incorrect USDC token address in `Deploy.s.sol::s_zksyncUSDC` breaks protocol functionality

Description:
The s_zkSyncUSDC token address set in the Deploy.s.sol contract is incorrect. The current address (0x1D17CbCf0D6d143135be902365d2e5E2a16538d4) does not correspond to the correct address of the token used for the airdrop. The correct address for the token is 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4.

contract Deploy is Script {
// ...
@> address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;
// ...
}

Impact:
Using an incorrect token address in the Deploy.s.sol contract can lead to several issues, including:

  • Failed Token Transfers: Any attempt to transfer tokens to the airdrop contract or from it will fail because the contract will interact with the wrong token address.

  • Incorrect Token Distribution: The airdrop process will not distribute the intended tokens to the participants, as the contract will not be able to recognize or interact with the correct token.

  • Confusion and Mismanagement: This discrepancy can lead to confusion among developers, stakeholders, and participants.

Recommended Mitigation:
To correct this issue, the s_zkSyncUSDC token address in the Deploy.s.sol contract should be updated to the correct address (0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4). This change ensures that the contract interacts with the correct token, allowing for successful token transfers and distribution during the airdrop.

address public s_zkSyncUSDC = 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4;

For future reference, the correct addresses for various tokens can be found on the zkSync Era Block Explorer at https://explorer.zksync.io/tokens

Tools Used: Manual review

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

usdc-wrong-address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.