# 29149 - \[SC - Insight] DoS in Zero Registry configuration updation Submitted on Mar 8th 2024 at 17:44:51 UTC by @oxumarkhatab for [Boost | ZeroLend](https://immunefi.com/bounty/zerolend-boost/) Report ID: #29149 Report type: Smart Contract Report severity: Insight Target: Impacts: * Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) ## Description ## Brief/Intro The zero registry will not update the configuration in it's storage due to incomplete implementation. ## Vulnerability Details The ZeroRegistry contains many onlyOwner functions among which `setPoolConfiguratorImpl` is the one. It takes newPool configuration and supposed to update the implementation logic. ``` function setPoolConfiguratorImpl( address newPoolConfiguratorImpl ) external override onlyOwner { address oldPoolConfiguratorImpl = _getProxyImplementation( POOL_CONFIGURATOR ); _updateImpl(POOL_CONFIGURATOR, newPoolConfiguratorImpl); emit PoolConfiguratorUpdated( oldPoolConfiguratorImpl, newPoolConfiguratorImpl ); } ``` However , due to incomplete implementation of `_getProxyImplementation` & `_updateImpl`, `_getProxyImplementation will always result 0` ``` function _getProxyImplementation(bytes32 id) internal returns (address) { // address proxyAddress = _addresses[id]; // if (proxyAddress == address(0)) { // return address(0); // } else { // address payable payableProxyAddress = payable(proxyAddress); // return // InitializableImmutableAdminUpgradeabilityProxy( // payableProxyAddress // ).implementation(); // } return address(0); } ``` and `_updateImpl` wil always pass and do no storage updates ``` function _updateImpl(bytes32 id, address newAddress) internal { address proxyAddress = _addresses[id]; // InitializableImmutableAdminUpgradeabilityProxy proxy; // bytes memory params = abi.encodeWithSignature( // "initialize(address)", // address(this) // ); // if (proxyAddress == address(0)) { // proxy = new InitializableImmutableAdminUpgradeabilityProxy( // address(this) // ); // _addresses[id] = proxyAddress = address(proxy); // proxy.initialize(newAddress, params); // emit ProxyCreated(id, proxyAddress, newAddress); // } else { // proxy = InitializableImmutableAdminUpgradeabilityProxy( // payable(proxyAddress) // ); // proxy.upgradeToAndCall(newAddress, params); // } } ``` This function does not store or update anything, leading to denial of service for owner. ( technically it stores the new implementation address always at the zero proxy address which is logical flaw) In an event where the configuration's implementation has to be updated and otherwise a lot of funds would be at risk, this function will fail to secure the protocol and cause un-intended behaviour causing DoS of updation of configurations. ## Impact Details Protocol functioning damage - Updates through registry can not be done due to in-complete logic implementation. ## References see PoC for details ## Proof of Concept Although it's clear from the above report description , you can visualize the scenario from this PoC ``` function test_failedConfigUpdate()public{ // suppose we have deployed contract stored in variable zeroRegistry_deployed address newPoolConfigImpl=0x37A8d3c717ec8fDc8BD859627F18ce89c31E1E8b; vm.startPrank(Owner); zeroRegistry_deployed.setPoolConfiguratorImpl(newPoolConfigImpl); assertEq(zeroRegistry._getProxyImplementation(),address(0)); vm.stopPrank(0) } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/zerolend/29149-sc-insight-dos-in-zero-registry-configuration-updation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.