Liquidity constructor doesn't check that addresses are unique #39
Labels
0 (Non-critical)
Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation
bug
Something isn't working
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Comments
code423n4
added
1 (Low Risk)
Mathepreneur
added
sponsor acknowledged
|
The contract is deployed by the convenience which will check this requirement. |
|
marking down to non-critical |
0xean
added
0 (Non-critical)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
jayjonah8
Vulnerability details
Impact
In Liquidity.sol the constructor takes in 2 addresses which are _convenience and _pair and sets them in the contracts storage. The constructor does not check if these two addresses are unique which leaves room for errors. They should not be able to be the same address.
Proof of Concept
https://github.com/code-423n4/2022-01-timeswap/blob/main/Timeswap/Timeswap-V1-Convenience/contracts/Liquidity.sol#L41
Tools Used
Manual code review
Recommended Mitigation Steps
Add this in the Liquidity.sol constructor: require(_convenience != _pair, "No duplicate addresses")
The text was updated successfully, but these errors were encountered: