TSender
Cyfrin
DeFiFoundry
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Unexpected protocol behavior because of some tokens have implementations only on part of the target chains

pontifex

Summary

USDT, USDC and LINK tokens have no implementations on some of the target deployment chains. So there is no guarantee of correct integration when the implementations will appear.

Vulnerability Details

According to the contest documentation expected token integrations are USDT, USDC, LINK and WETH, and target deployment chains are zkSync Era, Ethereum, Arbitrum, Optimism, Base and Blast.

Unfortunately only WETH token has implementations on all listed chains currently.

In turn LINK and USDC have no implementations on Blast chain (https://docs.chain.link/resources/link-token-contracts, https://www.circle.com/en/multi-chain-usdc).

USDT has no trusted implementations on Base and Blast chains (https://basescan.org/tokens , https://blastscan.io/tokens).

Since the implementations are absent no one can guarantee the protocol can integrate with them.

Impact

Though the likelihood of unsupported implementations appearing is low the potential impact, e.g. asset losses, is high.

Tools used

Manual Review

Recommendations

Consider reducing the list of supported tokens on Base and Blast chains according to the provided information.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
pontifex Submitter
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
pontifex Submitter
about 1 year ago
patrickalphac Auditor
about 1 year ago
pontifex Submitter
about 1 year ago
patrickalphac Auditor
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

undeployed-tokens-must-not-be-considered-valid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.