Zellic - Audit Reports

Category: Coding Mistakes

Launchpad's migrate sets the contract to the current version and not the target version

Informational Severity

Informational Impact

N/A Likelihood

Description

The function migrate_version is responsible for migrating the contract; however, it treats the target_contract_version as the version in the past (that the migration is away from) and the version as the version to migrate to.

pub fn migrate_version(
    deps: DepsMut,
    target_contract_version: &str,
    name: &str,
    version: &str,
) -> StdResult<()> {
    ...
    if prev_version.version != target_contract_version {
        return Err(StdError::generic_err(format!(
            "invalid contract version. target {}, but source is {}",
            target_contract_version, prev_version.version
        )));
    }
    set_contract_version(deps.storage, name, version)?;

    Ok(())
}

const CONTRACT_NAME: &str = "crates.io:launchpad";
const CONTRACT_VERSION: &str = env!("CARGO_PKG_VERSION");
const TARGET_CONTRACT_VERSION: &str = "0.1.2";

pub fn migrate(deps: DepsMut, _env: Env, _msg: MigrateMsg) -> Result<Response, ContractError> {
    migrate_version(
    deps,
    TARGET_CONTRACT_VERSION,
    CONTRACT_NAME,
    CONTRACT_VERSION,
    )?;

    Ok(Response::default())
}

Impact

The misnaming of source and target may lead to mistakes when updating the contract for deployment, costing gas for failed migrations.

Recommendations

Rename TARGET_CONTRACT_VERSION to EXPECTED_PREVIOUS_CONTRACT_VERSION in launchpad, and rename target_contract_version to previous_contract_version and version to updated_contract_version in migrate_version.

Remediation

This issue has been acknowledged by Dojoswap Labs, PTE, and a fix was implemented in commit ce55f60d↗.