Back to 0xSky's contests

Canto Dex Oracle contest - 0xSky's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 07/09/2022

Pot Size: $20,000 CANTO

Total HM: 7

Participants: 65

Period: 1 day

Judge: 0xean

Total Solo HM: 3

Id: 159

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 21/65

Findings: 2

Award: $146.62

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: hickuphh3

Also found by: 0xNazgul, 0xSky, CertoraInc, Deivitto, Jeiwan, SinceJuly, hansfriese, linmiaomiao, rbserver

Labels

bug
duplicate
2 (Med Risk)

Awards

664.9949 CANTO - $107.40

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L582

Vulnerability details

Division before multiplication can lead to an error

Impact

LP token price can be half of actual price by this mistake.

Proof of Concept

For simplicity, let us say decimals is 10**18. Prices can be nearly 1, but slightly smaller than 1. In that case, token0TVL = 0 due to the calculation error. In fact, assetReserves nearly same as token1TVL in this scenario, so the Lp price can be half of actual value.

Try multiplication first, and then division.

#0 - nivasan1

2022-09-10T19:02:19Z

duplicate #41

Findings Information

🌟 Selected for report: lukris02

Also found by: 0x040, 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xSky, Bnke0x0, Bronicle, CertoraInc, Chom, CodingNameKiki, Deivitto, Diraco, Dravee, EthLedger, IgnacioB, JC, JansenC, Jeiwan, R2, RaymondFam, ReyAdmirado, Rolezn, SinceJuly, TomJ, Tomo, Yiko, a12jmx, ajtra, ak1, codexploder, cryptphi, csanuragjain, erictee, fatherOfBlocks, gogo, hake, hansfriese, hickuphh3, ignacio, ontofractal, oyc_109, p_crypt0, pashov, peritoflores, rajatbeladiya, rbserver, rokinot, rvierdiiev, tnevler

Awards

242.8216 CANTO - $39.22

Labels

bug
disagree with severity
QA (Quality Assurance)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L558-L592

Vulnerability details

Impact

Longer path can also lead to computation error.

Proof of Concept

For NOTE/CANTO pair, it is not stable pair in the documentation (https://docs.canto.io/overview/canto-dex-and-lp-interface). Current implementation gets LP price in terms of CANTO and then change it to NOTE. But we can calculate it directly in terms of NOTE.

Do same calculation as stable case for NOTE/CANTO pair.

#0 - nivasan1

2022-09-10T20:43:11Z

Notice that the calculation used for Note/Canto Pair, calculate TVL in Canto and multiply by Price of Note, returns the same value as the other method would, albeit with a little less precision (both values are scaled by 1e18, and will most likely lose be within 1/e15 of each other). It is not clear that this affects function / availability in a noticeable way.

#1 - 0xean

2022-09-12T13:34:24Z

downgrading to QA.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter