FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: medium
Likelihood: medium

Non Contract Addresses Can Be Whitelisted as Stake Tokens

Author Revealed upon completion

Root + Impact

Description

  • The owner may accidentally whitelist an EOA instead of an ERC-20 token contract. Users attempting to stake the invalid token may encounter transaction failures, disrupting staking operations.

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

  • Likelihood
    Medium
    Whitelisting tokens is a recurring administrative action and is susceptible to operator mistakes.

Impact:

  • Impact 1

  • Impact 2

Proof of Concept

The function verifies only that the token address is non-zero.
It never confirms that the supplied address actually contains ERC-20 contract code.

function test_PoC_StakeTokenAllowed_AcceptsEOA_NoCodeCheck() public {
address eoa = makeAddr("eoaAsToken");
assertEq(eoa.code.length, 0);
vm.prank(owner);
factory.setStakeTokenAllowed(eoa, true); // succeeds — non-token address allowlisted
assertTrue(factory.allowedStakeToken(eoa));
}
}

Recommended Mitigation

Mitigation
Verify that the supplied token address contains deployed contract code.

- remove this code
function setStakeTokenAllowed(address token, bool allowed) external onlyOwner {\
if (token == address(0)) revert ZeroAddress();\
allowedStakeToken\[token] = allowed;\
emit StakeTokenAllowedUpdated(token, allowed);\
}
+ add this code
function setStakeTokenAllowed(address token, bool allowed)
external
onlyOwner
{
if (token == address(0)) revert ZeroAddress();
if (token.code.length == 0) revert NotAContract();
allowedStakeToken[token] = allowed;
emit StakeTokenAllowedUpdated(token, allowed);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!