From 09786acdf979c3a4208c118504f1607080964606 Mon Sep 17 00:00:00 2001 From: C4 <81770958+code423n4@users.noreply.github.com> Date: Wed, 30 Aug 2023 04:28:56 -0700 Subject: [PATCH] T1MOH data for issue #425 --- data/T1MOH-Q.md | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 data/T1MOH-Q.md diff --git a/data/T1MOH-Q.md b/data/T1MOH-Q.md new file mode 100644 index 00000000..3ab187f4 --- /dev/null +++ b/data/T1MOH-Q.md @@ -0,0 +1,52 @@ +## 1. Memory will be corrupted if add reserve with the same symbol +### Impact +There is check to prevent adding asset with duplicate address, but it doesn't check whether tokenSymbol was previously used. +If yes, old assetReserve will be overriden with the new one + +### Proof of Concept +Suppose there already exists "DPXETH" reserve with totalSupply = 1000. +Now reserve "DPXETH" is added but with different address, old is overriden +```solidity + function addAssetTotokenReserves( + address _asset, + string memory _assetSymbol + ) external onlyRole(DEFAULT_ADMIN_ROLE) { + require(_asset != address(0), "RdpxV2Core: asset cannot be 0 address"); + + for (uint256 i = 1; i < reserveAsset.length; i++) { + require( + reserveAsset[i].tokenAddress != _asset, + "RdpxV2Core: asset already exists" + ); + } + + ReserveAsset memory asset = ReserveAsset({ + tokenAddress: _asset, + tokenBalance: 0, + tokenSymbol: _assetSymbol + }); + reserveAsset.push(asset); + reserveTokens.push(_assetSymbol); + + //@audit HERE OLD RESERVE WILL BE OVERRIDEN WITH THE NEW ONE +@> reservesIndex[_assetSymbol] = reserveAsset.length - 1; + + emit LogAssetAddedTotokenReserves(_asset, _assetSymbol); + } +``` + +### Tools Used +Manual Review + +### Recommended Mitigation Steps + +```solidity + for (uint256 i = 1; i < reserveAsset.length; i++) { + require( + reserveAsset[i].tokenAddress != _asset, + "RdpxV2Core: asset already exists" + ); + ++ require(reserveAsset[i].tokenSymbol != _assetSymbol); + } +```