Back to 0xbepresent's contests

Tigris Trade contest - 0xbepresent's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $90,500 USDC

Total HM: 35

Participants: 84

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 12

Id: 192

League: ETH

Tigris Trade

Findings Distribution

Researcher Performance

Rank: 37/84

Findings: 3

Award: $271.93

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTigris Trade

Findings Information

🌟 Selected for report: HollaDieWaldfee

Also found by: 0xbepresent, 0xsomeone, Ruhum, ali_shehab, cccz, csanuragjain, kaliberpoziomka8552, rvierdiiev, sha256yan

Labels

bug
3 (High Risk)
partial-25
sponsor confirmed
upgraded by judge
duplicate-23

Awards

40.7491 USDC - $40.75

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Lock.sol#L19 https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Lock.sol#L84

Vulnerability details

Impact

The extendLock() function helps to change the BondNFT lock parameters (amount, period). The problem is totalLocked is not increased.

The totalLocked is a public variable, so there may be wrong information for those who consult that specific information:

  • Users
  • Other protocols
  • Bots

Proof of Concept

I created this test in test/09.Bond.js where you can see the extendLock() does not increase the totalLocked variable::

// npx hardhat test --grep "Adding amount and time to lock the totalLocked has not changed" test/09.Bonds.js
it("Adding amount and time to lock the totalLocked has not changed", async function () {
    await stabletoken.connect(owner).mintFor(user.address, ethers.utils.parseEther("100"));
    await lock.connect(user).lock(StableToken.address, ethers.utils.parseEther("100"), 10);

    await network.provider.send("evm_increaseTime", [432000]); // Skip 5 days
    await network.provider.send("evm_mine");

    // Get the Bond 1
    [id, _owner, asset, amount, mintEpoch, mintTime, expireEpoch, pending, shares, period, expired] = await bond.idToBond(1);
    expect(amount).to.be.equals(ethers.utils.parseEther("100"));
    expect(period).to.be.equals(10);

    // Total locked is the amount == 100
    expect(await lock.totalLocked(asset)).to.be.equals(ethers.utils.parseEther("100"));

    // ExtendLock for 100 more and 10 more period.
    await stabletoken.connect(owner).mintFor(user.address, ethers.utils.parseEther("100"));
    await lock.connect(user).extendLock(1, ethers.utils.parseEther("100"), 10);  // add 100, 10

    //Total Locked is now the amount before + the new amount == 200
    expect(await lock.totalLocked(asset)).to.be.equals(ethers.utils.parseEther("200"));

    [id, _owner, asset, amount, mintEpoch, mintTime, expireEpoch, pending, shares, period, expired] = await bond.idToBond(1);
    expect(amount).to.be.equals(ethers.utils.parseEther("200"));  // new amount
    expect(period).to.be.equals(20); // New period
    //Total Locked should be amount before + the new amount == 200
    expect(await lock.totalLocked(asset)).to.be.equals(ethers.utils.parseEther("200"));
});

Tools used

VsCode/Hardhat

Add the totalLocked incremention in the Lock.sol::extendLock() function

#0 - GalloDaSballo

2022-12-22T01:58:49Z

Making primary because of POC

#1 - c4-judge

2022-12-22T01:58:52Z

GalloDaSballo marked the issue as primary issue

#2 - c4-sponsor

2023-01-03T12:48:42Z

TriHaz marked the issue as sponsor confirmed

#3 - GalloDaSballo

2023-01-16T09:46:57Z

Effectively the "low impact" version of #23

#4 - GalloDaSballo

2023-01-16T09:48:04Z

Awarding 25% for that reason

#5 - c4-judge

2023-01-16T09:48:11Z

GalloDaSballo marked the issue as partial-25

#6 - c4-judge

2023-01-16T09:48:24Z

GalloDaSballo marked the issue as duplicate of #23

#7 - c4-judge

2023-01-23T09:21:31Z

GalloDaSballo changed the severity to 3 (High Risk)

Findings Information

🌟 Selected for report: cccz

Also found by: 0xbepresent, Madalad, unforgiven

Labels

bug
2 (Med Risk)
satisfactory
duplicate-334

Awards

230.0301 USDC - $230.03

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/GovNFT.sol#L19 https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/GovNFT.sol#L124 https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/GovNFT.sol#L168

Vulnerability details

Impact

The GovNFT.sol::maxBridge variable is not used in the "bridging process". The lzReceive() function can run out of gas if there are many Tokens passing to another chain.

The GovNFTs can get caught in a chain because they can be burned in chain A but in Chain B the lzReceive can not process the mint.

Proof of Concept

GovNFT.sol::maxBridge limit is not used in crossChain()

Tools used

VsCode

Add a limit of GovNFT before sending the NFTs to another chain.

#0 - GalloDaSballo

2022-12-20T01:51:01Z

R

#1 - c4-judge

2022-12-20T01:51:07Z

Duplicate of https://github.com/code-423n4/2022-12-tigris-findings/issues/266

#2 - C4-Staff

2023-01-23T08:28:39Z

Simon-Busch marked the issue as duplicate of #334

#3 - Simon-Busch

2023-01-23T08:28:49Z

Reverted back to M and marked as duplicate 334 as requested by @GalloDaSballo

#4 - GalloDaSballo

2023-01-23T08:56:27Z

I had rated this QA, but after sponsor feedback have raised to Med

#5 - c4-judge

2023-01-23T08:56:32Z

GalloDaSballo marked the issue as satisfactory

Findings Information

🌟 Selected for report: 0xA5DF

Also found by: 0xA5DF, 0xNazgul, 0xSmartContract, 0xbepresent, 0xdeadbeef0x, 8olidity, Englave, Faith, HE1M, JohnnyTime, Madalad, Mukund, Ruhum, SmartSek, __141345__, aviggiano, carlitox477, cccz, chaduke, francoHacker, gz627, gzeon, hansfriese, hihen, imare, jadezti, kwhuo68, ladboy233, orion, peanuts, philogy, rbserver, wait, yjrwkk

Awards

1.1472 USDC - $1.15

Labels

bug
2 (Med Risk)
satisfactory
duplicate-377

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Trading.sol#L952 https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Trading.sol#L163 https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Trading.sol#L255 https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Trading.sol#L480 https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Trading.sol#L689

Vulnerability details

Impact

The Trading.initiateMarketOrder(), Trading.addPosition() and Trading.executeLimitOrder() pay fees to the DAO, Referrer and Bot with help of the _handleOpenFees() function. The setFees() help to set the fees by the owner.

The initiateMarketOrder(), addPosition() and executeLimitOrder() transactions can be frontrun with a fee increase. Furthermore, the user can create a limitOrder with X fee in mind and when the LimitOrder is executed by executeLimitOrder() function, the fee could have changed in that period of time

This Admin Privilege issue can be used to raise up the fees and the protocol users could get stronger security guarantees by having the fee increases behind governance timelock.

Proof of Concept

The setFees function can be called by the owner at any time.

function setFees(bool _open, uint _daoFees, uint _burnFees, uint _referralFees, uint _botFees, uint _percent) external onlyOwner {
    unchecked {
        require(_daoFees >= _botFees+_referralFees*2);
        if (_open) {
            openFees.daoFees = _daoFees;
            openFees.burnFees = _burnFees;
            openFees.referralFees = _referralFees;
            openFees.botFees = _botFees;
        } else {
            closeFees.daoFees = _daoFees;
            closeFees.burnFees = _burnFees;
            closeFees.referralFees = _referralFees;
            closeFees.botFees = _botFees;                
        }
        require(_percent <= DIVISION_CONSTANT);
        vaultFundingPercent = _percent;
    }
}

Tools used

VsCode

The setFees() should be behind a TimeLock process and add a variable "MAX_FEE" to ensure fees can not go up above the threshold.

#0 - TriHaz

2022-12-23T02:20:24Z

Duplicate of #514

#1 - c4-judge

2022-12-23T17:56:35Z

GalloDaSballo marked the issue as duplicate of #514

#2 - c4-judge

2023-01-22T13:48:26Z

GalloDaSballo marked the issue as duplicate of #377

#3 - c4-judge

2023-01-22T17:35:05Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter