Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hardcoded default value for the gateway address [code-improvement] #19

Open
0xM3R opened this issue Dec 16, 2024 · 1 comment
Open

Hardcoded default value for the gateway address [code-improvement] #19

0xM3R opened this issue Dec 16, 2024 · 1 comment
Assignees
Labels

Comments

@0xM3R
Copy link

0xM3R commented Dec 16, 2024

File: deploy.ts
Issue: Hardcoded default value for the gateway address.

Analysis

The vulnerable implementation is as follows:

.addOptionalParam(
    "gateway",
    "Gateway address (default: ZetaChain Gateway)",
    "0x6c533f7fe93fae114d0954697069df33c9b74fd7"
);
  • Hardcoded Value: The gateway address is set to a default value, which may not be suitable for all deployment environments.

How It Can Be Harmful

  • Predictability: Hardcoded addresses can be exploited if attackers anticipate their use.
  • Misconfigurations: Deployments may malfunction if the default address is incorrect for the target environment.

How to Mitigate the Issue

1. Validate Configurations: Ensure the args.gateway is valid during runtime.

if (!isAddress(args.gateway)) {
    throw new Error("Invalid gateway address.");
}

2. Use Environment Variables: Replace hardcoded values with environment variables to allow flexibility across different environments.

References

  • OpenZeppelin Adjustable Parameters
    Guidance on implementing adjustable parameters to improve contract flexibility.
    OpenZeppelin Blog
@0xM3R 0xM3R added the Security label Dec 16, 2024
@0xM3R 0xM3R transferred this issue from another repository Dec 17, 2024
@0xM3R 0xM3R transferred this issue from zeta-chain/smart-contract-vulns Dec 17, 2024
@fadeev
Copy link
Member

fadeev commented Dec 18, 2024

Gateway and Uniswap router addresses are hardcoded only for UX purposes. Otherwise, devs would have to copy paste them every single time. I don't think there is a solution for this issue that wouldn't affect the dev experience.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants