You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 26, 2023. It is now read-only.
Fixed-expiry bonds should only be deployed during bond or market creation
Summary
Fixed-expiry bonds should only be deployed during bond or market creation.
Vulnerability Detail
Right now, everyone can deploy any fixed-expiry bond contract (See BondFixedExpiryTeller.sol#L158-L163). However, the bond will only be minted during bond creation (See BondFixedExpiryTeller.sol#L126 and BondFixedExpiryTeller.sol#L131). Hence, It is better to deploy the bond during the creation to prevent too many contract addresses without any balance to be deployed.
Impact
Too many fixed-expiry deployed bond contracts were created without any balance
Replace these lines (See BondFixedExpiryTeller.sol#L107-L108) with
if (bondToken ==ERC20BondToken(address(0x00))) {
deploy(underlying_, expiry_);
}
Do not allow any user to access this deploy function (See BondFixedExpiryTeller.sol#L158-L163) directly. It is fine to allow other functions to call this function like what is suggested in 1 and the createMarket function(See BondFixedExpirySDA.sol#L46)
The text was updated successfully, but these errors were encountered:
Disagree with this issue. The idea with having open token deployment and token creation functions is to allow users/protocols to use bond tokens even if they don't want to sell them via the auction mechanism. Having a common token for a specific underlying and expiry used across different protocols can allow building enough liquidity for secondary markets.
caventa
medium
Fixed-expiry bonds should only be deployed during bond or market creation
Summary
Fixed-expiry bonds should only be deployed during bond or market creation.
Vulnerability Detail
Right now, everyone can deploy any fixed-expiry bond contract (See BondFixedExpiryTeller.sol#L158-L163). However, the bond will only be minted during bond creation (See BondFixedExpiryTeller.sol#L126 and BondFixedExpiryTeller.sol#L131). Hence, It is better to deploy the bond during the creation to prevent too many contract addresses without any balance to be deployed.
Impact
Too many fixed-expiry deployed bond contracts were created without any balance
Code Snippet
https://github.com/sherlock-audit/2022-11-bond/blob/main/src/BondFixedExpiryTeller.sol#L158-L163
https://github.com/sherlock-audit/2022-11-bond/blob/main/src/BondFixedExpiryTeller.sol#L126
https://github.com/sherlock-audit/2022-11-bond/blob/main/src/BondFixedExpiryTeller.sol#L131
https://github.com/sherlock-audit/2022-11-bond/blob/main/src/BondFixedExpiryTeller.sol#L107-L108
https://github.com/sherlock-audit/2022-11-bond/blob/main/src/BondFixedExpirySDA.sol#L46
Tool used
Manual Review
Recommendation
The text was updated successfully, but these errors were encountered: