Daring Chartreuse Gecko
Medium
No access control on deployment functions allows anyone to deploy contracts with arbitrary parameters.
Beacon Proxy pattern allows for upgradable proxy contracts where all proxies point to a beacon contract that holds the implementation address. When the implementation needs to be upgraded, the beacon is updated, and all proxies automatically point to the new implementation. The function is external and does not have any access restrictions. This means anyone can call deployBondToken to deploy a new BondToken contract with arbitrary parameters, including setting themselves as the minter or governance.
The Deployer contract has three main functions:
deployBondToken deployLeverageToken deployDistributor Each function deploys a new contract instance using a BeaconProxy and initializes it with specific parameters.
- deployBondToken Function solidity
function deployBondToken( address bondBeacon, string memory name, string memory symbol, address minter, address governance, address poolFactory, uint256 sharesPerToken ) external returns(address) { return address(new BeaconProxy( address(bondBeacon), abi.encodeCall( BondToken.initialize, (name, symbol, minter, governance, poolFactory, sharesPerToken) ) )); }
The function is external and does not have any access restrictions. This means anyone can call deployBondToken to deploy a new BondToken contract with arbitrary parameters, including setting themselves as the minter or governance. An attacker can exploit this by deploying a malicious BondToken that interacts with other system components, potentially disrupting the system or extracting value.
- deployLeverageToken Function solidity
function deployLeverageToken( address leverageBeacon, string memory name, string memory symbol, address minter, address governance, address poolFactory ) external returns(address) { return address(new BeaconProxy( address(leverageBeacon), abi.encodeCall( LeverageToken.initialize, (name, symbol, minter, governance, poolFactory) ) )); }
Similar to deployBondToken, this function is external without any access restrictions. Anyone can deploy a new LeverageToken with arbitrary parameters.
- deployDistributor Function solidity
function deployDistributor( address distributorBeacon, address pool, address poolFactory ) external returns(address) { return address(new BeaconProxy( address(distributorBeacon), abi.encodeCall( Distributor.initialize, (pool, poolFactory) ) )); }
This function is also external with no access restrictions. Anyone can deploy a new Distributor contract linked to any pool address they choose.
No response
No response
No response
The Deployer contract allows anyone to deploy critical system contracts (BondToken, LeverageToken, Distributor) without any access control. Only authorized entities (e.g., the system owner or a factory contract) should be able to deploy new instances of these contracts to maintain system integrity.
Since anyone can specify the initialization parameters, they can set themselves as minter, governance, or link to any pool.
No response