First Flight #16: Mafia Takedown

First Flight #16

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

$USDC address deployed in `Deployer.sol` is not the addresse of the native $USDC polygon mainnet.

vesper

Summary

$USDC address deployed in Deployer.sol is not the addresse of the native USDC polygon mainnet.

Vulnerability Details

The main vulnerability in the current deployment script stems from the fact that it uses a mock USDC token instead of the native USDC token on the Polygon mainnet.

Mock Token Usage: The HelperConfig class points to a mock USDC token. While this is useful for testing, it is not suitable for production. The mock token does not hold any real value and cannot interact with other smart contracts or services that expect the real USDC token.

Impact

The impact of using a mock USDC token instead of the native USDC token on the Polygon mainnet includes:

Loss of Funds: If users or other protocols mistakenly interact with your contract under the assumption that it uses real USDC, they could lose funds. For example, users might deposit real USDC expecting it to be used within your protocol, only to find that it is converted to or treated as a valueless mock token.
Operational Disruptions: The need to eventually switch from a mock token to the native USDC token will require significant operational changes. This could involve pausing the protocol, migrating user balances, and ensuring all components correctly interact with the real USDC. This process can be complex, error-prone, and disruptive to users.

Tools Used

Manual review

Recommendations

Modify the deploy script to ensure that your contracts interact with the native USDC on the Polygon mainnet. Here's a quick breakdown:

Defined posUsdc Address:

You must correctly set the native Usdc address to 0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359, which is the address for the native USDC on Polygon mainnet.
Update usdc Initialization:

The usdc variable must be initialized with the native USDC address within the deploy function.
Integration with MoneyShelf:

The MoneyShelf contract must be initialized with the usdc variable, ensuring it uses the native USDC.

Mitigation

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import { Script, console2 } from "lib/forge-std/src/Script.sol";

import { IERC20 } from "lib/openzeppelin-contracts/contracts/token/ERC20/IERC20.sol";

import { HelperConfig } from "script/HelperConfig.s.sol";

import { Kernel, Actions, Role } from "src/Kernel.sol";

import { CrimeMoney } from "src/CrimeMoney.sol";

import { WeaponShelf } from "src/modules/WeaponShelf.sol";

import { MoneyShelf } from "src/modules/MoneyShelf.sol";

import { Laundrette } from "src/policies/Laundrette.sol";

contract Deployer is Script {

address public godFather;

+ address public posUsdc = 0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359;

+ IERC20 public usdc;

function run() public {

vm.startBroadcast();

deploy();

vm.stopBroadcast();

}

function deploy() public returns (Kernel, IERC20, CrimeMoney, WeaponShelf, MoneyShelf, Laundrette) {

godFather = msg.sender;

- // Deploy USDC mock

- HelperConfig helperConfig = new HelperConfig();

- IERC20 usdc = IERC20(helperConfig.getActiveNetworkConfig().usdc);

+ usdc = IERC20(posUsdc);

Kernel kernel = new Kernel();

CrimeMoney crimeMoney = new CrimeMoney(kernel);

WeaponShelf weaponShelf = new WeaponShelf(kernel);

MoneyShelf moneyShelf = new MoneyShelf(kernel, usdc, crimeMoney);

Laundrette laundrette = new Laundrette(kernel);

kernel.grantRole(Role.wrap("moneyshelf"), address(moneyShelf));

kernel.executeAction(Actions.InstallModule, address(weaponShelf));

kernel.executeAction(Actions.InstallModule, address(moneyShelf));

kernel.executeAction(Actions.ActivatePolicy, address(laundrette));

kernel.executeAction(Actions.ChangeAdmin, address(laundrette));

kernel.executeAction(Actions.ChangeExecutor, godFather);

return (kernel, usdc, crimeMoney, weaponShelf, moneyShelf, laundrette);

}

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Out of scope

vesper Submitter

about 1 year ago

n0kto Lead Judge

about 1 year ago

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.