First Flight #21: KittyFi

Relevant GitHub Links

https://github.com/Cyfrin/2024-08-kitty-fi/blob/main/src/KittyCoin.sol#L17-19

Summary

The KittyCoin contract is designed to mint and burn tokens exclusively through the KittyPool contract. However, the pool address is hardcoded during the contract's deployment, with no method to update or change it afterward. This can be a limitation if the pool contract address ever needs to be updated due to upgrades or other changes.

Vulnerability Details

The contract's constructor sets the KittyPool address during deployment and does not provide a setter function or mechanism to modify this address afterward. While this design ensures that only the intended KittyPool contract can mint and burn KittyCoin tokens, it also creates a potential risk: if the KittyPool contract needs to be upgraded or changed, the KittyCoin contract would become rigid and may require redeployment, leading to potential operational disruptions.

Once the pool address is set during the contract's deployment, there is no function provided to update this address. This makes the contract inflexible if an update or change to the pool address is required in the future.

Impact

The inability to update the pool address can cause significant problems if the KittyPool contract needs to be replaced or upgraded. This could necessitate the deployment of a new KittyCoin contract, which would disrupt the existing system and require migration of balances and state, causing potential inconvenience and risk of errors during migration.

Tools Used

Manual

Recommendations

To improve flexibility, implement a function that allows authorized parties to update the pool address. This function should include proper access control to prevent unauthorized changes while enabling updates when necessary.