Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incompatibility with interface can lead TadleFactory to deploy only upto uint8.max = 255 contracts instead of intended uint256.max leading to DoS after 255 deployments

0xreadyplayer1

Summary

The Tadle factory is incompatible with the ITadleInterface in one of the even emissions by deploy method.

Incompatibility with interface can lead TadleFactory to only deploy upto uint8.max = 255 contracts instead of intended uint256.max which is an astronomically large number `115792089237316195423570985008687907853269984665640564039457584007913129639935`

Vulnerability Details

TadleFactory violates compatibility of ITadleFactory in an event emission that initially thought is harmless but after 255 contracts are deployed by the factory , factory will no more be able to deploy contracts at new indexes > uint8.max (i.e 255) which will lead to Denail of service for new contract deployments if index is monotonically increasing

ITadleFactory.sol

event RelatedContractDeployed(uint256 _index, address _contractAddr);

TadleFactory

function deployUpgradeableProxy(

uint8 _relatedContractIndex, // @audit : uint8 instead of uint256

//snip

) external onlyGuardian returns (address) {

// snip

relatedContracts[_relatedContractIndex] = address(_proxy);

emit RelatedContractDeployed(_relatedContractIndex, address(_proxy));

return address(_proxy);

}

Impact

There are two impacts

If Guardian is aware of this limitation , they will always try to keep _relatedContractIndexin range 0 - 255 , which will make contract suffer of index redundancy across deployments which will not be easily distinguishable and forge the uniqueness property of _relatedContractIndex.
If Guardian wants to keep _relatedContractIndex unique across each deployment , they will only be able to deploy 255 contracts instead of the supposed 115792089237316195423570985008687907853269984665640564039457584007913129639935contracts

Tools Used

Manual Review

Recommendations

Change the function signature to this to support large number of deployments

function deployUpgradeableProxy(

uint256 _relatedContractIndex, // @audit : uint8 instead of uint256

//snip

Updates

Lead Judging Commences

0xnevi Lead Judge

10 months ago

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.