First Flight #16: Mafia Takedown

First Flight #16

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Misconfiguration in the `dependencies` Array Assignment in `configureDependencies()` function of the `Laundrette` contract

0xdoko

Summary

A vulnerability was discovered in the configureDependencies function of the Laundrette smart contract, where an incorrect assignment in the dependencies array can lead to malfunctioning of the contract's operations.

Vulnerability Details

The configureDependencies function is responsible for setting up the dependencies for the Laundrette contract by initializing the moneyShelf and weaponShelf variables. The function constructs an array of Keycode type called dependencies to store the keycodes of the required modules.

The code intends to set two different keycodes for moneyShelf and weaponShelf modules. However, there is an error in the assignment:

dependencies[0] = toKeycode("MONEY");

moneyShelf = MoneyShelf(getModuleAddress(toKeycode("MONEY")));

dependencies[0] = toKeycode("WEAPN"); // Incorrect index, should be dependencies[1]

weaponShelf = WeaponShelf(getModuleAddress(toKeycode("WEAPN")));

The correct assignment should be:

dependencies[1] = toKeycode("WEAPN");

Impact

This misconfiguration can lead to the following issues:

Only one keycode (toKeycode("WEAPN")) is stored in the dependencies array, overwriting the previously set keycode (toKeycode("MONEY")).
The moneyShelf module will not be correctly registered as a dependency, potentially causing the contract to fail when it attempts to interact with the moneyShelf functions.
Any functionality relying on the moneyShelf module will be disrupted, leading to a partial or complete failure of the contract's intended operations.

Tools Used

Manual code review

Recommendations

To resolve this vulnerability, the following changes should be made in the configureDependencies function:

Correct the index assignment for the second dependency:

dependencies[1] = toKeycode("WEAPN");

The corrected function should be:

function configureDependencies() external override onlyKernel returns (Keycode[] memory dependencies) {

dependencies = new Keycode ;

dependencies[0] = toKeycode("MONEY");

moneyShelf = MoneyShelf(getModuleAddress(toKeycode("MONEY")));

dependencies[1] = toKeycode("WEAPN"); // Correct index assignment

weaponShelf = WeaponShelf(getModuleAddress(toKeycode("WEAPN")));

}

Implementing these changes will ensure that both the moneyShelf and weaponShelf dependencies are correctly registered, maintaining the integrity and functionality of the Laundrette contract.

Updates

Lead Judging Commences

n0kto Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Laundrette incorrect dependencies

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.