gogo - Protocol is will not work on most of the supported blockchains due to hardcoded WETH contract address.

[sherlock-admin]

gogo

high

Protocol is will not work on most of the supported blockchains due to hardcoded WETH contract address.

Summary

The WETH address is hardcoded in the Swap library.

Vulnerability Detail

As stated in the README.md, the protocol will be deployed on the following EVM blockchains - Ethereum Mainnet, Arbitrum, Optimism, Polygon, Binance Smart Chain. While the project has integration tests with an ethereum mainnet RPC, they don't catch that on different chains like for example Polygon saveral functionallities will not actually work because of the hardcoded WETH address in the Swap.sol library:

address internal constant WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;

https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/libraries/Swap.sol#L28

Impact

Protocol will not work on most of the supported blockchains.

Code Snippet

address internal constant WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;

https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/libraries/Swap.sol#L28

Tool used

Manual Review

Recommendation

The WETH variable should be immutable in the Vault contract instead of a constant in the Swap library and the Wrapped Native Token contract address should be passed in the Vault constructor on each separate deployment.

[Theezr]

Fix:
https://github.com/derbyfinance/derby-yield-optimiser/pull/206