Tadle

Tadle
DeFiFoundry
27,750 USDC
View results
Submission Details
Severity: low
Invalid

The contract does not validate the _relatedContractIndex before deploying a new proxy. This could result in overwriting existing deployed contracts if the same index is reused.

Summary

The TadleFactory contract currently allows the deployment of new proxy contracts using a specified index _relatedContractIndex. However, there is no validation in place to check whether an index has already been used, which could lead to accidental overwriting of previously deployed contracts. If the same index is reused, it could overwrite an existing contract associated with that index, potentially leading to loss of functionality and creating vulnerabilities in the system.

Vulnerability Details

run this code in premarkets.t.sol

function test_related_Contract_Index_wont_override() public {
CapitalPool capitalPoolLog = new CapitalPool();
vm.startPrank(user1);
address index_1_contrat_before = tadleFactory.relatedContracts(1);
console2.log(index_1_contrat_before);
address overrided_contract = tadleFactory.deployUpgradeableProxy(1, address(capitalPoolLog), bytes(deploy_data));
address index_1_contrat_after = tadleFactory.relatedContracts(1);
console2.log(index_1_contrat_after);
assert(index_1_contrat_after != overrided_contract);
vm.stopPrank();
}

Tools Used

manual review

Recommendations

+ if (relatedContracts\[\_relatedContractIndex] != address(0)) { revert ContractAlreadyDeployed(\_relatedContractIndex); }
Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] finding-Admin-Errors-Malicious

The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.