Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Hardcoded AugustusSwapper address

biakia

Summary

The provided Solidity code implements a utility library ParaSwapUtils for interacting with the ParaSwap protocol. However, it contains a critical vulnerability due to the hardcoded address of the AugustusSwapper contract (0xDEF171Fe48CF0115B1d80b88dc8eAB59176FEe57). According to the ParaSwap documentation, the address of AugustusSwapper varies across different blockchain networks. This hardcoding limits the code's portability and functionality on chains where the AugustusSwapper address differs from the hardcoded value.

Vulnerability Details

The address of AugustusSwapper is hardcoded as 0xDEF171Fe48CF0115B1d80b88dc8eAB59176FEe57 in the _validateCallData function.

function _validateCallData(address to, bytes memory callData) internal view {

require(to == address(0xDEF171Fe48CF0115B1d80b88dc8eAB59176FEe57), "invalid paraswap callee");

address receiver;

assembly {

receiver := mload(add(callData, 196))

}

require(receiver == address(this), "invalid paraswap calldata");

}

If the AugustusSwapper address changes (e.g., due to an upgrade or migration), the _validateCallData will always revert.

Impact

Portability: The code cannot be deployed on chains where the AugustusSwapper address differs from the hardcoded value.
Functionality: If deployed on an unsupported chain, the swap function will fail due to the invalid AugustusSwapper address.
Maintenance: If the AugustusSwapper address changes (e.g., due to an upgrade or migration), the code may revert.

The impact is Medium, the likelihood is Low, so the severity is Low.

Tools Used

Maunal Review

Recommendations

Make the AugustusSwapper address a parameter of the swap function, allowing it to be dynamically specified by the caller.

function swap(address to, bytes memory callData, address augustusSwapper) external {

_validateCallData(to, callData, augustusSwapper);

address approvalAddress = IAugustusSwapper(augustusSwapper).getTokenTransferProxy();

// Rest of the function logic...

}

function _validateCallData(address to, bytes memory callData, address augustusSwapper) internal view {

require(to == augustusSwapper, "invalid paraswap callee");

// Rest of the validation logic...

}

Updates

Lead Judging Commences

n0kto Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.