Platform: Code4rena
Start Date: 08/06/2022
Pot Size: $115,000 USDC
Total HM: 26
Participants: 72
Period: 11 days
Judge: leastwood
Total Solo HM: 14
Id: 132
League: ETH
Rank: 61/72
Findings: 1
Award: $141.82
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: BowTiedWardens
Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Chom, ElKu, Funen, IllIllI, JMukesh, Jujic, Kaiziron, Lambda, MiloTruck, Ruhum, SmartSek, SooYa, TerrierLover, TomJ, WatchPug, Waze, _Adam, asutorufos, auditor0517, bardamu, c3phas, catchup, cccz, ch13fd357r0y3r, cloudjunky, cmichel, cryptphi, csanuragjain, defsec, fatherOfBlocks, hansfriese, hyh, jayjonah8, joestakey, k, kenta, obtarian, oyc_109, robee, sach1r0, shenwilly, simon135, slywaters, sorrynotsorry, tintin, unforgiven, xiaoming90, zzzitron
141.8225 USDC - $141.82
initializer in TokenRegistryfunction setLocalDomain(uint32 domain) public { _local = domain; }
The setLocalDomain in TokenRegistry is public with no modifier initializer. Related information is used later to decide whether _deployToken or not in ensureLocalToken as well as in the library AssetLogic, but due to the limited time, could not figure out ways to exploit this.
ProposedOwnableUpgradeablesProposedOwnableUpgradeable contracts. One is in the helpers directory and the other is in the shared/ProposedOwnable.sol which is inheriting ProposedOwnable. The ProposedOwnableUpgradeable from helpers is seemingly not used within this repo.LibDiamondsetContractOwner does not have zero address check and should not have zero address check as it will be used in the ProposedOwnableFacet to renounceOwnership. So, setContractOwner doubles as set and renounce the ownership. It may be safer to separate those usages. For example, this setContractOwner was used in the test implementation of Connext without zero address check. If it is the intended usage of this library for the future, it may be safeguarded in the library level.ProposedOwnableFacet and others/** * @notice Transfers ownership of the contract to a new account (`newOwner`). * Can only be called by the current owner. */ function acceptProposedOwner() public onlyProposed {
The acceptProposedOwner can only be called by the proposed owner, yet the comment says it can only be called by the current owner.
Also ProposedOwnableFacet ProposedOwnableUpgradeable has a Natspec, with the title ProposedOwnable.
UpgradeBeaconController// TODO: upgrade to `ProposedOwnable` contract UpgradeBeaconController is Ownable {
TODO comment mentions to upgrade to ProposedOwnable, however, unlike the openzeppelin's contract, the ProposedOwnable in this repos does not implement a constructor, presumably because it was going to be used as an implementation of a proxy. But the UpgradeBeaaconController to function as a controller, it needs owner. If a new contract named ProposedOwnable was going to be written, it may be confusing because it will only be distinguished by the import path.
#0 - ecmendenhall
2022-06-20T04:34:09Z
The Low finding here ("Missing initializer in TokenRegistry") is a duplicate of #54.
#1 - jakekidd
2022-07-02T01:14:21Z
TokenRegistry out of scope
#2 - 0xleastwood
2022-08-13T23:00:21Z
First part is incorrect: See #72.