Submission Details
Severity:
The `DepotFacet` contract uses an incorrect `PIPELINE` address.
Github link
Summary
The DepotFacet contract uses an incorrect PIPELINE address.
Vulnerability Details
The DepotFacet contract uses a PIPELINE address on L1 which is invalid on L2.
contract DepotFacet is Invariable {
// Pipeline V1.0.1
address private constant PIPELINE = 0xb1bE0000C6B3C62749b5F0c92480146452D15423;
/**
* @notice Pipe a PipeCall through Pipeline.
* @param p PipeCall to pipe through Pipeline
* @return result PipeCall return value
**/
function pipe(
PipeCall calldata p
) external payable fundsSafu noSupplyIncrease returns (bytes memory result) {
result = IPipeline(PIPELINE).pipe(p);
}
So multiple functions including pipe() wouldn't work properly on L2.
Impact
Multiple functions of the DepotFacet contract wouldn't work properly.
Tools Used
Manual Review
Recommendations
We should set a PIPELINE address as a parameter for L2.
Updates
Lead Judging Commences
inallhonesty 11 months ago
Submission Judgement Published Reason: Design choice
Assigned finding tags:
Hardcoded Pipeline address
Appeal created
inallhonesty 11 months ago
Submission Judgement Published Assigned finding tags:
Hardcoded Pipeline address
Prize pool breakdown
Total prize
250,000 USDC
nSLOC
12,28520 USDC / LOC
220,000 USDC
10,000 USDC
20,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.