Platform: Code4rena
Start Date: 16/10/2023
Pot Size: $60,500 USDC
Total HM: 16
Participants: 131
Period: 10 days
Judge: 0xTheC0der
Total Solo HM: 3
Id: 296
League: ETH
Rank: 34/131
Findings: 1
Award: $218.53
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MiloTruck
Also found by: 0xCiphky, LokiThe5th, Madalad, Robert, ZdravkoHr, nonseodion
218.5317 USDC - $218.53
https://github.com/code-423n4/2023-10-wildcat/blob/main/src/libraries/LibStoredInitCode.sol#L106 https://github.com/code-423n4/2023-10-wildcat/blob/bbeea97c94114731d809674546210b5a56d7bc6c/src/WildcatMarketController.sol#L354 https://github.com/code-423n4/2023-10-wildcat/blob/bbeea97c94114731d809674546210b5a56d7bc6c/src/WildcatMarketControllerFactory.sol#L297
When calling create2 using assembly, a failed deployment does not cause the calling context to revert, and simply returns address(0) instead. Without checking that the return value is not address(0), the deployment may silently fail and lead to unintended consequences.
Deployment may fail for one of the following reasons (source: evm.codes):
Contract deployment using create2 is handled by LibStoredInitCode#create2WithStoredInitCode, which returns the address variable deployment, representing the returned value from the call to assembly's create2.
File: src/libraries/LibStoredInitCode.sol 106: function create2WithStoredInitCode( 107: address initCodeStorage, 108: bytes32 salt, 109: uint256 value 110: ) internal returns (address deployment) { 111: assembly { 112: let initCodePointer := mload(0x40) 113: let initCodeSize := sub(extcodesize(initCodeStorage), 1) 114: extcodecopy(initCodeStorage, initCodePointer, 1, initCodeSize) 115: deployment := create2(value, initCodePointer, initCodeSize, salt) 116: } 117: }
In WildcatMarketController and WildcatMarketControllerFactory, calls are made to LibStoredInitCode.create2WithStoredInitCode but the returned address value is ignored. This means that the deployment may fail without causing a revert, deceiving users into thinking their controller/market has been deployed when in fact it has not.
File: src\WildcatMarketController.sol 354: LibStoredInitCode.create2WithStoredInitCode(marketInitCodeStorage, salt);
File: src\WildcatMarketControllerFactory.sol 297: LibStoredInitCode.create2WithStoredInitCode(controllerInitCodeStorage, salt);
Manual review
In create2WithStoredInitCode, add a zero address check to the deployment address returned by create2:
File: src/libraries/LibStoredInitCode.sol function create2WithStoredInitCode( address initCodeStorage, bytes32 salt, uint256 value ) internal returns (address deployment) { assembly { let initCodePointer := mload(0x40) let initCodeSize := sub(extcodesize(initCodeStorage), 1) extcodecopy(initCodeStorage, initCodePointer, 1, initCodeSize) deployment := create2(value, initCodePointer, initCodeSize, salt) } + require(deployment != address(0), "create2 deployment failed"); }
Invalid Validation
#0 - c4-pre-sort
2023-10-27T04:41:48Z
minhquanym marked the issue as duplicate of #28
#1 - c4-judge
2023-11-07T14:59:38Z
MarioPoneder marked the issue as satisfactory