Back to 0xDjango's contests

Illuminate contest - 0xDjango's results

Your Sole Source For Fixed-Yields.

General Information

Platform: Code4rena

Start Date: 21/06/2022

Pot Size: $55,000 USDC

Total HM: 29

Participants: 88

Period: 5 days

Judge: gzeon

Total Solo HM: 7

Id: 134

League: ETH

Illuminate

Findings Distribution

Researcher Performance

Rank: 63/88

Findings: 2

Award: $118.21

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryIlluminate

Findings Information

🌟 Selected for report: kirk-baird

Also found by: 0xDjango, GalloDaSballo, Kumpa, kenzo, pashov, shenwilly, tintin, unforgiven

Labels

bug
duplicate
2 (Med Risk)

Awards

54.27 USDC - $54.27

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/lender/Lender.sol#L156-L159

Vulnerability details

Impact

Given the safety checks demonstrated in the Illuminate codebase to prevent against admin abilities to immediately withdraw user deposits, the vulnerability imposed by allowing the admin to set arbitrary approvals without timelock appears to be an oversight. For example, the Illuminate team has placed a 3 day timelock on direct admin withdrawals:

    /// @notice minimum amount of time the admin must wait before executing a withdrawl
    uint256 constant public HOLD = 3 days;

Though the admin is able to immediately set max approval for any token to any address. Therefore the admin can withdraw at any time.

    function approve(address[] calldata u, address[] calldata a) external authorized(admin) returns (bool) {
        uint256 len = u.length;
        if (len != a.length) {
            revert NotEqual('array length');
        }
        uint256 max = 2**256 - 1;


        for (uint256 i; i < len; ) {
            IERC20 uToken = IERC20(u[i]);
            if (address(0) != (address(uToken))) {
                Safe.approve(uToken, a[i], max);
            }
            unchecked {
                i++;
            }
        }
        return true;
    }

Tools Used

Manual review.

Adding a similar admin timelock to the two approve() functions would mitigate this issue.

#0 - sourabhmarathe

2022-07-01T20:09:03Z

Duplicate of #115.

Findings Information

🌟 Selected for report: defsec

Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkowloon, 0xmint, Bnke0x0, BowTiedWardens, Chom, ElKu, Funen, GalloDaSballo, GimelSec, IllIllI, JC, Kenshin, Kulk0, Lambda, Limbooo, MadWookie, Metatron, Picodes, Soosh, StErMi, TomJ, WatchPug, Waze, Yiko, _Adam, ak1, asutorufos, aysha, bardamu, catchup, datapunk, delfin454000, dipp, fatherOfBlocks, grGred, hake, hansfriese, hyh, joestakey, kebabsec, kenzo, kirk-baird, oyc_109, pashov, poirots, rfa, robee, saian, sashik_eth, shenwilly, simon135, slywaters, z3s, zeesaw, zer0dot

Awards

63.9425 USDC - $63.94

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

QA Report

[L-01] No ownership transfer pattern

https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/marketplace/MarketPlace.sol#L109-L112 https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/redeemer/Redeemer.sol#L62-L65

[L-02] Comment incorrectly describes function

The comment refers to the setFee() function instead of setSwivel().

https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/lender/Lender.sol#L153

[N-01] Typo in withdrawal

https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/lender/Lender.sol#L22

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter