Submission Details
Severity:
WEAPN keycode overwrites MONEY dependency in Laundrette::configureDependencies causing a bad migration
Summary
WEAPN keycode overwrites MONEY dependency in Laundrette::configureDependencies causing a bad migration.
Vulnerability Details
In case of of migration, owner will run the EmergencyMigration script that will call migrate(), that will call the kernel's executeAction(Actions.UpgradeModule, address(moneyVault)); with the kernel executor set as the caller, that will call _upgradeModule(Module newModule_) that will call _reconfigurePolicies(keycode); that will call configureDependencies() and here's the issue:
function configureDependencies() external override onlyKernel returns (Keycode[] memory dependencies) {
dependencies = new Keycode[](2);
dependencies[0] = toKeycode("MONEY");
moneyShelf = MoneyShelf(getModuleAddress(toKeycode("MONEY")));
dependencies[0] = toKeycode("WEAPN"); /// @audit here's the issue: overwriting dependencies[0], should be dependencies[1] instead
weaponShelf = WeaponShelf(getModuleAddress(toKeycode("WEAPN")));
}
Impact
Bad migration
Tools Used
Manual analysis
Recommendations
- dependencies[0] = toKeycode("WEAPN");
+ dependencies[1] = toKeycode("WEAPN");
Updates
Lead Judging Commences
n0kto over 1 year ago
Submission Judgement Published Assigned finding tags:
Laundrette incorrect dependencies
Rewards breakdown
nSLOC
205This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.