First Flight #21: KittyFi

First Flight #21

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Address Collision using `CREATE2` and Potential Disruption in Vault Creation Due to Unreliable `ERC20` Symbol Retrieval

brene

Summary

The meownufactureKittyVault function in the Kitty-Fi contract uses a salt derived from the token's symbol for the create2 deployment. This approach can lead to address collisions if two tokens have the same symbol and also if this call fails or returns an unexpected value, it could disrupt the vault creation process potentially causing unexpected behaviour and security vulnerabilities.

Vulnerability Details.

The meownufactureKittyVault in the Kitty-Fi contract uses CREATE2 with a salt derived from the token's symbol as seen in the following code;

function meownufactureKittyVault(address _token, address _priceFeed) external onlyMeowntainer {

require(tokenToVault[_token] == address(0), KittyPool__TokenAlreadyExistsMeeoooww());

>> address _kittyVault = address(new KittyVault{ salt: bytes32(abi.encodePacked(ERC20(_token).symbol())) }(_token, address(this), _priceFeed, i_euroPriceFeed, meowntainer, i_aavePool));

tokenToVault[_token] = _kittyVault;

vaults.push(_kittyVault);

}

The call to ERC20(_token).symbol() may fail if the token contract does not implement the symbol() function correctly or adheres to an unexpected standard. Even if the function is implemented, the token symbol is not guaranteed to be unique across all ERC20 tokens. If two tokens have the same symbol, using their symbols as the salt for CREATE2 can result in the same contract address being generated for different tokens.

Impact

If the symbol retrieval fails or returns an identical value for different tokens, it can lead to address collisions where multiple vaults end up with the same address. Failure in the symbol retrieval process can cause the vault creation process to fail, disrupting the operational flow.

Tools Used

Manual Review

Recommendations

Instead of using the token's symbol, use a unique identifier such as the token's address concatenated with the pool address to generate the salt. Implement a fallback mechanism to handle cases where the symbol() function call fails or returns an unexpected value. Ensure the validity of the symbol retrieved and that the target address generated by CREATE2 is not already in use before deploying the KittyVault.

Updates

Lead Judging Commences

shikhar229169 Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

224

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.