No Validation Of create2 Return Value

[spyboy7711]

Impact

The BoringFactory.deploy() function is used to deploy lightweight proxy contracts . The function does not revert properly if there is a failed contract deployment or revert from the create2 opcode as it does not properly check the returned address for bytecode. The create2 opcode returns the expected address which will never be the zero address.

Proof of Concept

https://github.com/boringcrypto/BoringSolidity/blob/master/contracts/BoringFactory.sol#L32-L68

Recommended Mitigation Steps

The recommended mitigation is to check returned address by create2 that is cloneAddress variable for non zero adddress and non zero code size .

            // pass along failure message from failed contract deployment and revert.
           iszero(extcodesize(cloneAddress )) {
                returndatacopy(0, 0, returndatasize())
                revert(0, returndatasize())
            }

[boringcrypto]

Thanks for reporting this. What is the failure case here? Under which conditions would create2 not revert after failure? The specs say it should throw.

See https://eips.ethereum.org/EIPS/eip-1014

If a contract creation is attempted, due to either a creation transaction or the CREATE (or future CREATE2) opcode, and the destination address already has either nonzero nonce, or nonempty code, then the creation throws immediately, with exactly the same behavior as would arise if the first byte in the init code were an invalid opcode. This applies retroactively starting from genesis.