Asymmetry contest - 0xc0ffEE's results

A protocol to help diversify and decentralize liquid staking derivatives.

General Information

Platform: Code4rena

Start Date: 24/03/2023

Pot Size: $49,200 USDC

Total HM: 20

Participants: 246

Period: 6 days

Judge: Picodes

Total Solo HM: 1

Id: 226

League: ETH

Asymmetry Finance

Findings Distribution

Researcher Performance

Rank: 202/246

Findings: 1

Award: $11.13

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Asymmetry Finance

Findings Information

🌟 Selected for report: rotcivegaf

Also found by: 0xc0ffEE, 7siech, ArbitraryExecution, Co0nan, Cryptor, Emmanuel, Evo, ToonVH, UdarTeam, alexzoid, ayden, brgltd, carlitox477, codetilda, d3e4, hihen, idkwhatimdoing, nemveer, pfapostol, vagrant, wait

Awards

11.1318 USDC - $11.13

Labels

bug

2 (Med Risk)

low quality report

satisfactory

duplicate-363

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L83-L98

Vulnerability details

Impact

In cases like: a)After SafEth is deployed and there is no derivative added yet b)derivate weights set to 0, accidentally set or malicious owners stakers would receive mintAmount of 0 while spending at least minAmount ETH. Stakers can not withdraw this amount of ETH

Proof of Concept

https://prover.certora.com/output/85902/34363f7f37cf4b17bc7190ea0dfb8d35?anonymousKey=1950f1f3e3cd53876f902057e69958bf9576d133

spec file

rule stakers_funds_locked() {
  env e;
  
  require derivativeCount() == 0 || totalWeight() == 0;

  require e.msg.sender != currentContract;
  require e.msg.value > 0;

  uint256 balance = balanceOf(e.msg.sender);
  stake(e);
  uint256 balanceAfter = balanceOf(e.msg.sender);

  assert balanceAfter == balance;
}

Tools Used

Certora

Recommended Mitigation Steps

Add require(mintAmount > 0);

#0 - c4-pre-sort
2023-04-03T14:22:08Z

0xSorryNotSorry marked the issue as low quality report

#1 - c4-pre-sort
2023-04-04T19:27:33Z

0xSorryNotSorry marked the issue as duplicate of #363

#2 - c4-judge
2023-04-21T16:32:05Z

Picodes marked the issue as satisfactory

Asymmetry contest - 0xc0ffEE's results

A protocol to help diversify and decentralize liquid staking derivatives.

General Information

Findings Distribution

Researcher Performance

External Links

[M-10] Staker funds get locked when derivative not properly set - $11.13

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - c4-pre-sort2023-04-03T14:22:08Z

#1 - c4-pre-sort2023-04-04T19:27:33Z

#2 - c4-judge2023-04-21T16:32:05Z

#0 - c4-pre-sort
2023-04-03T14:22:08Z

#1 - c4-pre-sort
2023-04-04T19:27:33Z

#2 - c4-judge
2023-04-21T16:32:05Z