First Flight #16: Mafia Takedown

First Flight #16

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Wrong USDC address in `HelperConfig::getPolygonMainnetConfig` causes incorrect `MoneyShelf` deployment in `Deployer.s.sol`

Mill

Summary

In the Compatibilities section of the ReadMe there is a note that the protocol wants to deploy to Polygon.
However when the MoneyShelf contract gets deployed inside the Deployer script we need to forward the correct USDC token address for the chain we want to deploy to. The USDC address is received from the helperConfig.getActiveNetworkConfig().usdc function. When we look closer inside the HelperConfig::getConfigByChainId function we can see that each chain has it's own config function which should be used to receive the correct USDC address for this chain.

Vulnerability Details

Looking closer at the implementation of the HelperConfig::getPolygonMainnetConfig function we can see that the USDC address that gets returned is incorrect: address(1). We can print this out in our terminal following these steps:

chisel
address(1)

This returns us an address that looks like this 0x0000000000000000000000000000000000000001. If we do a quick research on the internet we can quickly find out that the correct USDC address on polygon actually is 0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359.

Proof of Code

You can also make a few adjustments in the Deployer script to verify this:

Code

function deploy() public returns (Kernel, IERC20, CrimeMoney, WeaponShelf, MoneyShelf, Laundrette) {

godFather = msg.sender;

// Deploy USDC mock

HelperConfig helperConfig = new HelperConfig();

- IERC20 usdc = IERC20(helperConfig.getActiveNetworkConfig().usdc);

+ IERC20 usdc = IERC20(helperConfig.getPolygonMainnetConfig().usdc);

Kernel kernel = new Kernel();

CrimeMoney crimeMoney = new CrimeMoney(kernel);

WeaponShelf weaponShelf = new WeaponShelf(kernel);

MoneyShelf moneyShelf = new MoneyShelf(kernel, usdc, crimeMoney);

Laundrette laundrette = new Laundrette(kernel);

kernel.grantRole(Role.wrap("moneyshelf"), address(moneyShelf));

kernel.executeAction(Actions.InstallModule, address(weaponShelf));

kernel.executeAction(Actions.InstallModule, address(moneyShelf));

kernel.executeAction(Actions.ActivatePolicy, address(laundrette));

kernel.executeAction(Actions.ChangeAdmin, address(laundrette));

kernel.executeAction(Actions.ChangeExecutor, godFather);

return (kernel, usdc, crimeMoney, weaponShelf, moneyShelf, laundrette);

}

After making this adjustment run the following command to see the invalid USDC address printed out to the terminal:

forge test --mc DeployTest -vvv

Impact

This results in deploying the MoneyShelf contract with an invalid USDC address, causing transaction failures and disrupting contract functionality.

Tools Used

Manual review
chisel
forge test

Recommendations

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Mill Submitter

about 1 year ago

n0kto Lead Judge

about 1 year ago

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.