Skip to content
This repository has been archived by the owner on Sep 17, 2023. It is now read-only.

HonorLt - Hardcoded WETH #288

Closed
sherlock-admin opened this issue Mar 17, 2023 · 4 comments
Closed

HonorLt - Hardcoded WETH #288

sherlock-admin opened this issue Mar 17, 2023 · 4 comments
Labels
Duplicate Escalation Resolved This issue's escalations have been approved/rejected Medium Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 17, 2023
edited by hrishibhat
Loading

HonorLt

medium

Hardcoded WETH

Summary

The address of WETH is hardcoded but it differs on other chains.

Vulnerability Detail

The swap library has WETH hardcoded:

address internal constant WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;

It is used when performing a multi-token swap (tokenA -> WETH -> tokenB).

The scope mentions these deployment environments:
DEPLOYMENT: Mainnet, Arbitrum, Optimism, Polygon, Binance Smart Chain

This hardcoded WETH address does not match other chains. For example, on Arbitrum the address is: https://arbiscan.io/token/0x82af49447d8a07e3bd95bd0d56f35241523fbab1

What is more, the next variable (gasUsedForSwap) is not used anywhere so I was not sure what is the purpose of it:

  uint256 internal constant gasUsedForSwap = 210000;

Impact

The current code of the swap library will only work on mainnet and needs to be manually adjusted before deploying on other chains. If accidentally deployed as it is, then when the time comes to perform the multi-swap, it will throw a runtime error.

Code Snippet

https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/libraries/Swap.sol#L28

Tool used

Manual Review

Recommendation

Inject the WETH address as a parameter.

Duplicate of #308
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Mar 20, 2023
@sherlock-admin sherlock-admin added the Non-Reward This issue will not receive a payout label Apr 9, 2023
@pauliax
Copy link

pauliax commented Apr 11, 2023

Escalate for 10 USDC.

This was closed and excluded with no explanation while it is clearly a duplicate of #308.

@sherlock-admin
Copy link
Contributor Author

Escalate for 10 USDC.

This was closed and excluded with no explanation while it is clearly a duplicate of #308.

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin sherlock-admin added the Escalated This issue contains a pending escalation label Apr 11, 2023
@hrishibhat
Copy link

Escalation accepted

Valid duplicate of #308

@sherlock-admin
Copy link
Contributor Author

Escalation accepted

Valid duplicate of #308

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.

@sherlock-admin sherlock-admin added Escalation Resolved This issue's escalations have been approved/rejected and removed Escalated This issue contains a pending escalation labels Apr 13, 2023
@sherlock-admin sherlock-admin added Medium Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout Excluded Excluded by the judge without consulting the protocol or the senior labels Apr 18, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate Escalation Resolved This issue's escalations have been approved/rejected Medium Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hrishibhat @pauliax @sherlock-admin