Summary

The protocol mentions to deploy on Polygon, but it uses address(1) as the USDC address which is not of the actual USDC contract on any chain and sets address(1) as the USDC address in the protocol which will make the protocol suffer from DoS for that token related function.

Vulnerability Details

The vulnerability is present in the Helper Config where it returns address(1) as the USDC address for chains.

As we are focusing its deployment on Polygon, but for that too it returns address(1) as the USDC address which will thus set incorrect address in the protocol and will make the protocol to suffer from a DoS on various functions that are dependent on that USDC address.

Impact

The functions depositTheCrimeMoneyInATM and withdrawMoney will face a DoS.

No one will be able to deposit USDC in the shelf.

Tools Used

Manual Review

Recommendations

Correct all the addresses in the Helper Config for USDC.

Importantly correct the USDC address for Polygon Mainnet from address(1) to address(0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359)