Platform: Code4rena
Start Date: 04/03/2024
Pot Size: $140,000 USDC
Total HM: 19
Participants: 69
Period: 21 days
Judge: 0xean
Total Solo HM: 4
Id: 343
League: ETH
Rank: 22/69
Findings: 1
Award: $835.10
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MrPotatoMagic
835.0974 USDC - $835.10
The TaikoToken contract inherits from the EssentialContract, which in turn inherits from the AddressResolver contract. However, during initialization, the TaikoToken contract does not initialize the address manager, leading to the addressManager variable remaining uninitialized. This results in any attempt to use functions or modifiers dependent on the address manager, such as the resolve function or the onlyFromOwnerOrNamed modifier, to revert with the RESOLVER_INVALID_MANAGER() error.
The uninitialized address manager poses a critical vulnerability as it prevents essential functions and modifiers in the TaikoToken contract from functioning correctly. This could potentially lead to unexpected behavior or disruptions in the protocol's functionality.
packages/protocol/contracts/L1/TaikoToken.sol: 51 /// @notice Creates a new token snapshot. 52: function snapshot() public onlyFromOwnerOrNamed("snapshooter") { 53: _snapshot(); 54: } packages/protocol/contracts/common/AddressResolver.sol: 72: function _resolve( 73: uint64 _chainId, 74: bytes32 _name, 75: bool _allowZeroAddress 76: ) 77: private 78: view 79: returns (address payable addr_) 80: { 81: if (addressManager == address(0)) revert RESOLVER_INVALID_MANAGER();
Explanation:
TaikoToken.sol - Line 52: The snapshot function is defined in the TaikoToken contract. This function is intended to create a new token snapshot. However, it includes the onlyFromOwnerOrNamed modifier, which depends on the resolve function from the AddressResolver contract.
AddressResolver.sol - Lines 72-81: The _resolve function in the AddressResolver contract checks whether the addressManager variable is initialized. If the addressManager is not initialized (i.e., it is set to address(0)), the function reverts with the RESOLVER_INVALID_MANAGER() error.
The issue arises because the TaikoToken contract does not initialize the address manager during initialization, causing the addressManager variable in the AddressResolver contract to remain uninitialized. As a result, any attempt to use functions or modifiers dependent on the address manager, such as the snapshot function in the TaikoToken contract, will revert with the RESOLVER_INVALID_MANAGER() error.
To mitigate this vulnerability, it is recommended to ensure that the address manager is properly initialized during the initialization of the TaikoToken contract. This can be achieved by passing the address of the address manager to the initialization function of the TaikoToken contract or by setting the address manager after initialization through a setter function or another method.
Here is a possible fix
diff --git a/packages/protocol/contracts/L1/TaikoToken.sol b/packages/protocol/contracts/L1/TaikoToken.sol index 0b2ec09..9412665 100644 --- a/packages/protocol/contracts/L1/TaikoToken.sol +++ b/packages/protocol/contracts/L1/TaikoToken.sol @@ -24,6 +24,7 @@ contract TaikoToken is EssentialContract, ERC20SnapshotUpgradeable, ERC20VotesUp /// @param _recipient The address to receive initial token minting. function init( address _owner, + address _addressManager, string calldata _name, string calldata _symbol, address _recipient @@ -31,7 +32,7 @@ contract TaikoToken is EssentialContract, ERC20SnapshotUpgradeable, ERC20VotesUp public initializer { - __Essential_init(_owner); + __Essential_init(_owner, _addressManager); __ERC20_init(_name, _symbol); __ERC20Snapshot_init(); __ERC20Votes_init();
Error
#0 - c4-pre-sort
2024-03-29T14:14:27Z
minhquanym marked the issue as duplicate of #261
#1 - c4-judge
2024-04-10T11:35:50Z
0xean marked the issue as satisfactory