hardcoded paraswap callee address
Summary
The function _validateCallData() under ParaSwapUtils.sol checks whether to address is correct paraswap address or not. But currently it is hardcode which can lead to problems in future. This protocol is not even upgradable. So there is no way to update this. It is better to store paraswap address in a storage variable and allow admin to update in future
Vulnerability Details
Main reason why we should not use hardcoded paraswap address in our protocol ?
If an attacker gains control over the address (e.g., due to a vulnerability in ParaSwap), our protocol will inherit the risk and there is no way to update this to new address.
Code:
Impact
Fund loss if attacker gains access to the hardcoded paraswap address and there is no way for gamma admin team to update to new paraswap address.
Tools Used
Manual review
Recommendations
Store the address in a variable and have a setter function which can allow only owner to update this variable anytime
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.