Skip to content

Latest commit

 

History

History
71 lines (40 loc) · 3.25 KB

021.md

File metadata and controls

71 lines (40 loc) · 3.25 KB
Raw

Magic Chartreuse Gecko

Medium

Unused Import Detected in MorphoLeverageStrategyExtension: IERC20 from OpenZeppelin

Summary

An unused import statement, import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";, was detected in the MorphoLeverageStrategyExtension contract. This introduces unnecessary dependencies in the contract, potentially increasing bytecode size and impacting gas efficiency.

Root Cause

The IERC20 interface was imported into the contract but was not utilized in any function or declaration. This may have been the result of an earlier implementation plan that was either changed or removed without cleaning up the import statements. https://github.com/sherlock-audit/2024-10-morpho-x-index/blob/main/index-coop-smart-contracts/contracts/adapters/MorphoLeverageStrategyExtension.sol#L23

Internal pre-conditions

  1. The MorphoLeverageStrategyExtension contract is being compiled and deployed.
  2. Importing IERC20 without referencing it in the contract body.

External pre-conditions

  1. OpenZeppelin’s IERC20 interface from the ERC-20 standard is available as an external dependency in the project.
  2. No calls or interactions with any ERC-20 token standard within this particular contract.

Attack Path

Although the unused import does not directly pose a security vulnerability, it may indirectly lead to issues:

  1. Increase in Bytecode Size: Including unused imports can unnecessarily inflate the bytecode of the contract, leading to higher deployment costs.

  2. Potential Future Exploits: If unused imports go unnoticed in multiple parts of the codebase, they may lead to confusion and become potential targets for exploits in a larger context where imports are mishandled.

Impact

  • Gas Efficiency: While unused imports do not impact runtime gas usage, they can marginally increase deployment costs due to additional bytecode.

  • Code Cleanliness: Keeping unused imports can clutter the codebase and reduce maintainability. This could also lead to confusion during audits or reviews, increasing the effort required to ensure contract integrity.

  • Security: In this specific case, no immediate security risk is present, but bloated contracts with unnecessary imports can make audit processes longer and more error-prone.

PoC

Compile the contract as-is:

  • Verify that IERC20 is imported but not referenced anywhere in the contract body. Run static analysis using tools like Solhint:

  • It will detect and flag the unused import, highlighting it for removal. Deployment bytecode size analysis:

  • Compare the contract’s bytecode with and without the unused import. Notice the slight increase in bytecode size when the unused import is present.

Mitigation

  1. Remove Unused Imports:
  • Simply remove the following line from the MorphoLeverageStrategyExtension contract: solidity
- import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
  1. Linter Integration:
  • Use a linter like Solhint or Ethlint in the development pipeline to automatically detect unused imports and enforce code cleanliness.
  1. Code Reviews:
  • Ensure that all future pull requests and changes undergo proper code review where unused imports and redundant code can be flagged early.