Duplicate Contract Names #12
Labels
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
3 (High Risk)
phijfry
added
the
disagree with severity
|
Based on the contracts that have been pointed out I can't see how this can lead to loss of funds as the severity suggests? Considering we are talking about compiled artifacts. Could the warden elaborate here? |
0xMaharishi
added
the
sponsor confirmed
|
This should be a 0 or 1 severity (being generous). There is no way for anything bad to happen here considering both the ABIs are different and used explicity |
0xMaharishi
added
the
resolved
|
Fixed in code-423n4/2022-05-aura#5 |
|
This is definitely a code quality issue and a good report, but does not constitute a potential loss of funds or even disfunction in the protocol itself. Downgrading to QA. |
dmvt
added
QA (Quality Assurance)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/CrvDepositorWrapper.sol#L9
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraStakingProxy.sol#L10
Vulnerability details
Impact
If a codebase has two contracts with the same names, the compilation artifacts will not contain one of the contracts.
ICrvDepositorexists in bothAuraStakingProxyandCrvDepositorWrapperTools
Manual Review
Recommended Mitigation Steps
Move the contract to an interface file and import it or if the interface differs rename one of the contracts.
The text was updated successfully, but these errors were encountered: