Back to 0x52's contests

Canto contest - 0x52's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 14/06/2022

Pot Size: $100,000 USDC

Total HM: 26

Participants: 59

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 9

Id: 133

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 12/59

Findings: 9

Award: $2,211.17

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: 0xDjango

Also found by: 0x52, Chom, JMukesh, Picodes, Soosh, WatchPug, csanuragjain, k, oyc_109

Labels

bug
duplicate
3 (High Risk)

Awards

782.2807 CANTO - $126.34

126.3383 USDC - $126.34

External Links

Link to GitHub issue

Lines of code

https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/NoteInterest.sol#L118-L129

Vulnerability details

Impact

baseRatePerYear can be arbitrarily set by anyone

Proof of Concept

updateBaseRate can be called by anyone as long as deltaBlocks > updateFrequency. A malicious user could set the base rate to uint256.max and cause huge amounts of interest to accumulate on all users even if the team caught it and put it back very quickly

Tools Used

Make this function permissioned to make sure only the intended contract calls it

#0 - ecmendenhall

2022-06-21T22:11:48Z

Duplicate of https://github.com/code-423n4/2022-06-newblockchain-findings/issues/22

#1 - tkkwon1998

2022-06-22T17:49:04Z

Duplicate of issue #22

#2 - GalloDaSballo

2022-08-04T20:02:17Z

Dup of #22

Findings Information

🌟 Selected for report: Soosh

Also found by: 0x52, 0xDjango, TerrierLover, WatchPug, cccz, saian, zzzitron

Labels

bug
duplicate
3 (High Risk)

Awards

1207.2233 CANTO - $194.97

194.9666 USDC - $194.97

External Links

Link to GitHub issue

Lines of code

https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/WETH.sol#L85-L88

Vulnerability details

Impact

All balances held on the contract can be stolen

Proof of Concept

approve(address owner, address spender) is not permissioned in any way and allows anyone to set allowance of any owner to any spender. A malicious actor could use this to approve the balance of everyone for themselves and then send themselves all the tokens.

Tools Used

Add a check that the owner address specified is msg.sender

#0 - tkkwon1998

2022-06-21T03:27:19Z

duplicate of issue #19

#1 - GalloDaSballo

2022-08-04T19:26:05Z

Dup of #19

Findings Information

🌟 Selected for report: Tutturu

Also found by: 0x52, WatchPug, hyh, p4st13r4

Labels

bug
duplicate
3 (High Risk)

Awards

2649.5985 CANTO - $427.91

427.9102 USDC - $427.91

External Links

Link to GitHub issue

Lines of code

https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/CNote.sol#L43 https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/CNote.sol#L77 https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/CNote.sol#L114 https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/CNote.sol#L146 https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/CNote.sol#L198 https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/CNote.sol#L229 https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/CNote.sol#L310

Vulnerability details

Impact

All function requiring getCashPrior() == 0 are disabled

Proof of Concept

getCashPrior() is an inherited function from CErc20 via inheritance from CErc20Delegate. It returns the current underlying balance of the contract:

https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/CErc20.sol#L147-L150

A malicious user could send the underlying asset to the contract which can be obtained by redeeming for underlying via redeemUnderlying() also inherited from CErc20:

https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/CErc20.sol#L71-L73

Once underlying tokens have been donated to the contract all functions that require getCashPrior() == 0 will cease to function

Tools Used

Call getCashPrior() at the beginning and end the functions and take the difference to determine if the function left any underlying in the contract

#0 - ecmendenhall

2022-06-21T22:52:52Z

Duplicate of https://github.com/code-423n4/2022-06-newblockchain-findings/issues/227

#1 - tkkwon1998

2022-06-22T18:50:34Z

Duplicate of issue #227

Findings Information

🌟 Selected for report: p4st13r4

Also found by: 0x52, Tutturu

Labels

bug
duplicate
2 (Med Risk)
sponsor confirmed

Awards

1635.5547 CANTO - $264.14

264.1421 USDC - $264.14

External Links

Link to GitHub issue

Lines of code

https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/CNote.sol#L14-L21

Vulnerability details

Impact

_accountant and admin set to any arbitrary address

Proof of Concept

_setAccountantContract is a public function that can be called by anyone the first time. This would allow a malicious party to call this function before team is able to call it

Tools Used

Move the functionality inside a constructor and set it on contract creation

#0 - GalloDaSballo

2022-08-12T00:35:02Z

Dup of #195

Findings Information

🌟 Selected for report: joestakey

Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xf15ers, 0xmint, Bronicle, Dravee, Funen, JMukesh, Limbooo, MadWookie, Picodes, Ruhum, TerrierLover, TomJ, Tutturu, WatchPug, Waze, _Adam, asutorufos, c3phas, catchup, cccz, codexploder, cryptphi, csanuragjain, defsec, fatherOfBlocks, gzeon, hake, hansfriese, hyh, ignacio, k, nxrblsrpr, oyc_109, robee, sach1r0, saian, simon135, technicallyty, zzzitron

Awards

73.3392 USDC - $73.34

687.9945 CANTO - $111.11

Labels

bug
QA (Quality Assurance)
sponsor confirmed

External Links

Link to GitHub issue

Lines of code

https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/NoteInterest.sol#L73-L77

Vulnerability details

Impact

baseRatePerBlock cannot be relied on to accurately contain current interest rate

Proof of Concept

baseRatePerBlock is set in the constructor but then not update in either updateBaseRate or _setBaseRatePerYear which update baseRatePerYear. Any contract that pulls the interest rate from baseRatePerBlock will always get the interest rate initially set at the creation of the contract

Tools Used

Update baseRatePerBlock in updateBaseRate and _setBaseRatePerYear

#0 - GalloDaSballo

2022-08-07T21:39:43Z

Dup of #200

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter