Submission Details
Severity:
Polygon USDC contract should be used instead of MockUSDC in `Deploy.s.sol`
Description
Polygon USDC contract(0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174) should be used during the deployment in Deploy.s.sol instead of MockUSDC address
Impact
Polygon USDC is the actual erc20 which the protocol intends to use and its address should be used during the deployment , MockUSDC has 0 value and should only be used for testing purposes
Proof of Concept
function deploy() public returns (Kernel, IERC20, CrimeMoney, WeaponShelf, MoneyShelf, Laundrette) {
godFather = msg.sender;
// Deploy USDC mock
HelperConfig helperConfig = new HelperConfig();
@> IERC20 usdc = IERC20(helperConfig.getActiveNetworkConfig().usdc);
Kernel kernel = new Kernel();
CrimeMoney crimeMoney = new CrimeMoney(kernel);
...
...
...
}
The Polygon Address returned by Helperconfig.s.sol
function getPolygonMainnetConfig() public pure returns (NetworkConfig memory) {
return NetworkConfig({ usdc: address(1) });
}
The USDC Address returned by Deployer.s.sol is not Polygon USDC address
PoC: Address returned is not Polygon USDC
function test_usdc() public view {
//Polygon USDC address
address USDC = 0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174;
console.log("usdc", address(usdc));
assertNotEq(address(usdc), USDC);
}
Recommended Mitigation
The Polygon USDC contract should be used
IERC20 USDC = IERC20(0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174);
Rewards breakdown
nSLOC
205This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.