Submission Details
Severity:
Hardcoded WETH, USD address will break implementation on all chains other than Ethereum since Protocol will be migrating to other L2s
Summary
Hardcoded usd and weth address
Vulnerability Details
library LibWeth {
address constant WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;
function wrap(uint256 amount, LibTransfer.To mode) internal {
deposit(amount);
LibTransfer.sendToken(IERC20(WETH), amount, msg.sender, mode);
}
function unwrap(uint256 amount, LibTransfer.From mode) internal {
amount = LibTransfer.receiveToken(IERC20(WETH), amount, msg.sender, mode);
withdraw(amount);
(bool success, ) = msg.sender.call{value: amount}(new bytes(0));
require(success, "Weth: unwrap failed");
}
function deposit(uint256 amount) private {
IWETH(WETH).deposit{value: amount}();
}
function withdraw(uint256 amount) private {
IWETH(WETH).withdraw(amount);
}
}
chainlinkOraclePriceAddress = ChainlinkPriceFeedRegistry(chainlinkRegistry).getFeed(
token,
0x0000000000000000000000000000000000000348
); // 0x0348 is the address for USD
}
Impact
The protocol is will not work on the new or potential supported L2 blockchains due to the hardcoded usd, weth contract address.
Tools Used
Manual Review.
Recommendations
Set usd, weth value from a constructor parameter.
Updates
Lead Judging Commences
inallhonesty 11 months ago
Submission Judgement Published Reason: Design choice
Assigned finding tags:
Hardcoded WETH/WSTETH/USDC/USDT won't be the same on L2's
Appeal created
inallhonesty 11 months ago
Submission Judgement Published Assigned finding tags:
Hardcoded WETH/WSTETH/USDC/USDT won't be the same on L2's
Prize pool breakdown
Total prize
250,000 USDC
nSLOC
12,28520 USDC / LOC
220,000 USDC
10,000 USDC
20,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.