Back to 0xSky's contests

Swivel v3 contest - 0xSky's results

The Capital-Efficient Protocol For Fixed-Rate Lending.

General Information

Platform: Code4rena

Start Date: 12/07/2022

Pot Size: $35,000 USDC

Total HM: 13

Participants: 78

Period: 3 days

Judge: 0xean

Total Solo HM: 6

Id: 135

League: ETH

Swivel

Findings Distribution

Researcher Performance

Rank: 28/78

Findings: 1

Award: $106.88

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySwivel

Findings Information

🌟 Selected for report: bin2chen

Also found by: 0x52, 0xDjango, 0xSky, Picodes, auditor0517, rokinot, ronnyx2017, scaraven

Labels

bug
duplicate
2 (Med Risk)

Awards

106.8838 USDC - $106.88

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-swivel/blob/ fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L156 https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L164

Vulnerability details

Impact

ZcToken.withdraw and ZcToken.redeem will be reverted.

Proof of Concept

https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Tokens/ZcToken.sol#L107 https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Tokens/ZcToken.sol#L116

In ZcToken.withdraw and ZcToken.redeem, it calls redeemer.authRedeem. redeemer can be MarketPlace here. But MarketPlace.authRedeem calls ISwivel(swivel).authRedeem.

https://github.com/code-423n4/2022-07-swivel/blob/ fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L156 https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L164

And authRedeem function is not defined in Swivel contract. So withdraw and redeem of ZcToken will be reverted.

Tools Used

VSCode

Change authRedeem to authRedeemZcToken in MarketPlace.

  function authRedeem(uint8 p, address u, uint256 m, address f, address t, uint256 a) public authorized(markets[p][u][m].zcToken) returns (uint256 underlyingAmount) {
    Market memory market = markets[p][u][m];
    // if the market has not matured, mature it...
    if (market.maturityRate == 0) {
      if (!matureMarket(p, u, m)) { revert Exception(30, 0, 0, address(0), address(0)); }

      if (!IZcToken(market.zcToken).burn(f, a)) { revert Exception(29, 0, 0, address(0), address(0)); }

-      ISwivel(swivel).authRedeem(p, u, market.cTokenAddr, t, a);
+      ISwivel(swivel).authRedeemZcToken(p, u, market.cTokenAddr, t, a);

      return (a);
    } else {

      if (!IZcToken(market.zcToken).burn(f, a)) { revert Exception(29, 0, 0, address(0), address(0)); }

      uint256 amount = calculateReturn(p, u, m, a);
-      ISwivel(swivel).authRedeem(p, u, market.cTokenAddr, t, amount);
+      ISwivel(swivel).authRedeemZcToken(p, u, market.cTokenAddr, t, amount);

      return (amount);
    }
  }

#0 - JTraversa

2022-07-18T23:26:17Z

Duplicate of #39

#1 - bghughes

2022-07-31T19:19:09Z

Duplicate of #39

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter