FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: medium
Likelihood: medium

Pool Implementation Can Be Set to a Non Contract Address

Author Revealed upon completion

Root + Impact

Description

  • Impact
    The factory may become incapable of deploying new pools if the implementation address points to an EOA or an address without deployed bytecode.

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

  • Medium:

  • Implementation addresses are commonly updated during upgrades, making configuration mistakes possible.

Impact:

  • Impact 1

  • Impact 2

Proof of Concept

The implementation address is only checked against the zero address.
No validation confirms that the address actually contains implementation code.

function test_PoC_PoolImplementation_AcceptsEOA_NoCodeCheck() public {
address eoa = makeAddr("eoaAsImpl");
assertEq(eoa.code.length, 0);
vm.prank(owner);
factory.setPoolImplementation(eoa); // succeeds — no bytecode validation
assertEq(factory.poolImplementation(), eoa);
}

Recommended Mitigation

Ensure the implementation contains deployed bytecode.

- remove this code
function setPoolImplementation(address newPoolImplementation) external onlyOwner {
if (newPoolImplementation == address(0)) revert ZeroAddress();
address old = poolImplementation;
poolImplementation = newPoolImplementation;
emit PoolImplementationUpdated(old, newPoolImplementation);
}
+ add this code
function setPoolImplementation(address newPoolImplementation) external onlyOwner {
if (newPoolImplementation == address(0)) revert ZeroAddress();
if (newPoolImplementation.code.length == 0) revert NotAContract();
address old = poolImplementation;
poolImplementation = newPoolImplementation;
emit PoolImplementationUpdated(old, newPoolImplementation);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!