LibWhitelist incorrectly verifies addresses
Summary
Verify functions in LibWhitelist are supposed to perform sanity checks that provided address is correct implementation.
It performs function call and ensures that call is successful. However such checks are incorrect and won't catch incorrect implementations in most of the cases.
Because it doesn't make sure that called address is contract.
Vulnerability Details
In LibWhitelis there are functions verifyOracleImplementation(), verifyGaugePointImplementation(), verifyLiquidityWeightImplementation(). They are mostly identical, they perform staticCall and check result boolean:
However low level calls return success if address is EOA, so this check just don't work
Impact
Incorrect implementations can be configured because of incorrect sanity check.
Tools Used
Manual Review
Recommendations
Check that address contains code before calling it.
Lead Judging Commences
Informational/Gas
Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
LibWhitelist incorrectly verifies addresses - Low level calls return success on EOAs
Appeal created
Informational/Gas
Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
LibWhitelist incorrectly verifies addresses - Low level calls return success on EOAs
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.