FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: low
Likelihood: low

No compatibility check when updating the factory pool implementation

Author Revealed upon completion

Description

setPoolImplementation() only checks for address(0). If the owner sets an address that doesn't implement initialize() with the right signature, every future createPool() will silently revert. Existing pools aren't affected since they're already cloned.

Root Cause

Line 137-142 of ConfidencePoolFactory.sol:

function setPoolImplementation(address newPoolImplementation) external onlyOwner {
if (newPoolImplementation == address(0)) revert ZeroAddress();
address old = poolImplementation;
poolImplementation = newPoolImplementation;
emit PoolImplementationUpdated(old, newPoolImplementation);
}

No check that the new address has code, implements the right interface, or can be successfully initialized. The owner is trusted, but a typo or wrong address would brick all future pool creation until someone notices and fixes it.

Risk

Likelihood: Low — requires the trusted owner to make a mistake or set a malicious address.

Impact: Low — existing pools are unaffected since they are already cloned. Only future createPool() calls would revert. Easily reversible by the owner setting the correct address.

Proof of Concept

If the owner calls setPoolImplementation(someEOA) where someEOA is an externally owned account with no code, all subsequent createPool() calls will deploy a clone of an empty contract and revert when initialize() is called on it. There is no on-chain guard preventing this.

Recommended Mitigation

Add a code-length check at minimum:

function setPoolImplementation(address newPoolImplementation) external onlyOwner {
if (newPoolImplementation == address(0)) revert ZeroAddress();
if (newPoolImplementation.code.length == 0) revert InvalidImplementation();
address old = poolImplementation;
poolImplementation = newPoolImplementation;
emit PoolImplementationUpdated(old, newPoolImplementation);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!