Inconsistencies of WETH across chains can cause incorrect functionality of the protocol

[c4-bot-4]

Lines of code

https://github.com/code-423n4/2024-01-decent/blob/07ef78215e3d246d47a410651906287c6acec3ef/src/UTB.sol#L8

Vulnerability details

Proof of Concept

According to the README and sponsors, the codebase is expected to support all chains (EVM and non-EVM) that LayerZero supports.

Although all chains are expected to be supported, there are some inconsistencies of the WETH token across these chains. These inconsistencies can cause incorrect functionality of the protocol, DOS of the protocol and failed deployments.

Here are the inconsistencies:

1. WETH is not deployed on all chains that LayerZero supports

2. The contracts below are compared to this WETH contract on Ethereum mainnet.

Binance => BEP20 => does not have WETH but BEP20, no deposit/withdraw functions
Avalanche => WETH => no deposit/withdraw functions
Aptos (non-evm) => zWETH => Uses Layerzero Wrapped Ether (zWETH), uses 6 decimals not 18
Polygon => WETH => function signature for deposit() function is different and can only be called by ChildChainManager
Fantom => no WETH contract, it has fETH
Moonbeam => WETH => no deposit/withdraw functions
Fuse => WETH => no deposit/withdraw functions
Gnosis chain => WETH => no deposit/withdraw functions
zkSync era => WETH => no deposit/withdraw functions
Tenet => WETH => no deposit/withdraw functions
Astar => WETH => no deposit/withdraw functions
Horizen EON => WETH => no deposit/withdraw functions

Impacts of the inconsistencies:

1. If WETH is not deployed on all chains LayerZero supports, the protocol is limited to deploy to only specific functional chains, which limits the project.
2. The protocol won't work on Binance since it does not seem to have a WETH token but a BEP20 token. Even the BEP20 token does not have deposit/withdraw functions.
3. The protocol, if deployed, would DOS on chains like Avalanche, Moonbeam, Fuse, Gnosis, zkSync era, Tenet, Astar and Horizen EON since their WETH contracts do not have the deposit/withdraw functions.
4. Aptos (non-evm) uses Layerzero Wrapper Ether as the WETH token. Additionally, this token has 6 decimals. The chain does not use Solidity so the contract cannot be deployed on it yet.
5. The protocol would DOS if it uses the WETH contract on Polygon since the deposit() function has a different function signature.
6. The protocol cannot be deployed on Fantom since it uses fETH and does not seem to have a WETH token. It does have an ETH token contract though it does not have the deposit/withdraw functions.
7. There is a WETH contract present on Scroll but it's source code is not verified. Before deploying on it, ensure the function signatures match.

LayerZero supported chains which work fine with WETH:

1. Ethereum mainnet
2. Arbitrum
3. Optimism
4. Polygon zkEVM
5. Linea
6. Base
7. Zora
8. Aurora
9. Manta
10. Public Goods Network
11. Arbitrum Nova

Note: I've manually confirmed each of these inconsistencies on every LayerZero supported chain through block explorers. To ensure no chain is missed out, consider cross-checking the WETH contracts.

Tools Used

Manual Review

Recommended Mitigation Steps

1. For WETH contracts that do not use deposit/withdraw functions, consider implementing separate interfaces to ensure the function signatures match.
2. For chains without a WETH contract, consider using other wrapped tokens as an alternative.

Assessed type

Other

[c4-pre-sort]

raymondfam marked the issue as sufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #333

[c4-judge]

alex-ppg marked the issue as unsatisfactory:
Invalid

[mcgrathcoutinho]

Hi @alex-ppg, thank you for the detailed response on the primary issue.

I think this issue should be valid since zksync era and scroll both have their gas currency as ETH currently (see here for zksync and here for scroll).
Provided that the WETH contract has a different signature on zksync era (which is pointed out in the report), could you please re-evaluate this issue.

Thank you for your time.

[alex-ppg]

Hey @mcgrathcoutinho, thank you for raising your concerns about this issue. You can see on this reply of the primary issue that the WETH asset would solely be interacted with in the DecentEthRouter::redeemEth function whose impacts are detailed in a separate exhibit: #505

Based on the above, I will retain the current ruling regardless of which chains the contract can be deployed in as the WETH asset will solely be interacted in a function whose impact would be QA based on #505.