Uninitialized referenceContractAddress may be used #81
Labels
1 (Low Risk)
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor disputed
Handle
0xRajeev
Vulnerability details
Impact
referenceContractAddress is 0 (default value) until set by setReferenceContractAddress(). Possible to createMarket() before that is set correctly by the deployment script in which case Clones.clone(0) is called which possibly results in unexpected behavior or leads to reverts later in the code.
Proof of Concept
https://github.com/code-423n4/2021-06-realitycards/blob/86a816abb058cc0ed9b6f5c4a8ad146f22b8034c/contracts/RCFactory.sol#L31
https://github.com/code-423n4/2021-06-realitycards/blob/86a816abb058cc0ed9b6f5c4a8ad146f22b8034c/contracts/RCFactory.sol#L432
https://github.com/code-423n4/2021-06-realitycards/blob/86a816abb058cc0ed9b6f5c4a8ad146f22b8034c/contracts/RCFactory.sol#L551
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add a zero-address check before the call to Clones.clone(referenceContractAddress).
The text was updated successfully, but these errors were encountered: