Platform: Code4rena
Start Date: 03/07/2023
Pot Size: $40,000 USDC
Total HM: 14
Participants: 74
Period: 7 days
Judge: alcueca
Total Solo HM: 9
Id: 259
League: ETH
Rank: 69/74
Findings: 1
Award: $6.07
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xprinc
Also found by: 0x11singh99, 0xAnah, 0xWaitress, 0xkazim, 2997ms, 33audits, 404Notfound, 8olidity, CRIMSON-RAT-REACH, CyberPunks, DanielWang888, Deekshith99, Eeyore, Eurovickk, Inspecktor, JGcarv, John, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Qeew, QiuhaoLi, Rolezn, TheSavageTeddy, Topmark, Trust, Udsen, a3yip6, alexzoid, bigtone, codegpt, erebus, fatherOfBlocks, ginlee, glcanvas, hunter_w3b, josephdara, kaveyjoe, kutugu, mahdirostami, max10afternoon, oakcobalt, peanuts, pfapostol, ptsanev, qpzm, radev_sw, ravikiranweb3, sces60107, seth_lawson, te_aut, twcctop, zhaojie, ziyou-
6.0655 USDC - $6.07
The aquire contract is a permissionless Well registry and factory so user can deploy his well contract through this contract. The contract is not forcing the init function and the init function doesn´t has some mechanisc that allow just a deployer to call the init function in the well contract allowing other user to init the contract.
file:src/Aquifer.sol function boreWell( address implementation, bytes calldata immutableData, bytes calldata initFunctionCall, bytes32 salt ) external nonReentrant returns (address well) { ... if (initFunctionCall.length > 0) { (bool success, bytes memory returnData) = well.call(initFunctionCall); //@audit (low ) frony run init if (!success) { // Next 5 lines are based on https://ethereum.stackexchange.com/a/83577 if (returnData.length < 68) revert InitFailed(""); assembly { returnData := add(returnData, 0x04) } revert InitFailed(abi.decode(returnData, (string))); } } ... }
The deployer can decide not init the well contract yet passing 0 in initFunctionCall input.
file:src/Well.sol function init(string memory name, string memory symbol) public initializer { __ERC20Permit_init(name); __ERC20_init(name, symbol); ... }
There is not protection to allow just a deployer to call the init function allowing other user to front run the well contract and put his own name and symbol.
force a user to init the well contract in the Aquifer contract:
function boreWell( address implementation, bytes calldata immutableData, bytes calldata initFunctionCall, bytes32 salt ) external nonReentrant returns (address well) { ... if (initFunctionCall.length == 0) { revert CUSTOM_ERROR() } ... }
#0 - c4-pre-sort
2023-07-12T09:47:04Z
141345 marked the issue as high quality report
#1 - c4-pre-sort
2023-07-14T05:47:07Z
141345 marked the issue as low quality report
#2 - alcueca
2023-08-04T21:12:58Z
No need for checks in the code. Instead make potential developers aware that the init function must be passed on to boreWell, instead of calling externally.
#3 - c4-judge
2023-08-04T21:13:05Z
alcueca marked the issue as grade-b