Tadle

Tadle
DeFi
30,000 USDC
View results
Submission Details
Severity: medium
Invalid

Incompatibility with interface can lead TadleFactory to deploy only upto uint8.max = 255 contracts instead of intended uint256.max leading to DoS after 255 deployments

Summary

The Tadle factory is incompatible with the ITadleInterface in one of the even emissions by deploy method.

Incompatibility with interface can lead TadleFactory to only deploy upto uint8.max = 255 contracts instead of intended uint256.max which is an astronomically large number `115792089237316195423570985008687907853269984665640564039457584007913129639935`

Vulnerability Details

TadleFactory violates compatibility of ITadleFactory in an event emission that initially thought is harmless but after 255 contracts are deployed by the factory , factory will no more be able to deploy contracts at new indexes > uint8.max (i.e 255) which will lead to Denail of service for new contract deployments if index is monotonically increasing

ITadleFactory.sol

event RelatedContractDeployed(uint256 _index, address _contractAddr);

TadleFactory

function deployUpgradeableProxy(
uint8 _relatedContractIndex, // @audit : uint8 instead of uint256
//snip
) external onlyGuardian returns (address) {
// snip
relatedContracts[_relatedContractIndex] = address(_proxy);
emit RelatedContractDeployed(_relatedContractIndex, address(_proxy));
return address(_proxy);
}

Impact

There are two impacts

  1. If Guardian is aware of this limitation , they will always try to keep _relatedContractIndexin range 0 - 255 , which will make contract suffer of index redundancy across deployments which will not be easily distinguishable and forge the uniqueness property of _relatedContractIndex.

  2. If Guardian wants to keep _relatedContractIndex unique across each deployment , they will only be able to deploy 255 contracts instead of the supposed 115792089237316195423570985008687907853269984665640564039457584007913129639935contracts

Tools Used

Manual Review

Recommendations

Change the function signature to this to support large number of deployments

function deployUpgradeableProxy(
uint256 _relatedContractIndex, // @audit : uint8 instead of uint256
//snip
Updates

Lead Judging Commences

0xnevi Lead Judge
10 months ago
0xnevi Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.