Back to 0xdedo93's contests

Decent - 0xdedo93's results

Decent enables one-click transactions using any token across chains.

General Information

Platform: Code4rena

Start Date: 19/01/2024

Pot Size: $36,500 USDC

Total HM: 9

Participants: 113

Period: 3 days

Judge: 0xsomeone

Id: 322

League: ETH

Decent

Findings Distribution

Researcher Performance

Rank: 67/113

Findings: 1

Award: $17.30

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryDecent

Findings Information

🌟 Selected for report: GhK3Ndf

Also found by: 0xAadi, 0xDING99YA, 0xdedo93, Aymen0909, CDSecurity, DadeKuma, Eeyore, Kow, Matue, MrPotatoMagic, NentoR, Soliditors, SovaSlava, antonttc, bart1e, dutra, haxatron, peanuts, pkqs90, th13vn

Awards

17.3003 USDC - $17.30

Labels

bug
2 (Med Risk)
partial-75
sufficient quality report
duplicate-590

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-01-decent/blob/main/src/UTB.sol#L311 https://github.com/code-423n4/2024-01-decent/blob/main/src/UTB.sol#L134 https://github.com/code-423n4/2024-01-decent/blob/main/src/UTB.sol#L228

Vulnerability details

Impact

There exist a codepath that allows any users to call the function swapAndExecute (which is a wrapper to function _swapAndExecute) without paying Decent protocol fees. To exploit the bug it is as simple as calling directly the public function receiveFromBridge which in turns reach the function _swapAndExecute without passing through the check of the modifier retrieveAndCollectFees .

By calling the functionreceiveFromBridge it is possible to achieve a swap and execute operation without paying for the fees, as you can control all the arguments passed in to the function _swapAndExecute.

Proof of Concept

The function swapAndExecute is the legit entrypoint for a swap and execute operation

function swapAndExecute https://github.com/code-423n4/2024-01-decent/blob/main/src/UTB.sol#L108

function _swapAndExecute https://github.com/code-423n4/2024-01-decent/blob/main/src/UTB.sol#L134

modifier retrieveAndCollectFees https://github.com/code-423n4/2024-01-decent/blob/main/src/UTB.sol#L228

function receiveFromBridge https://github.com/code-423n4/2024-01-decent/blob/main/src/UTB.sol#L311

As shown in Decent protocol test function testSwapWethToUsdcAndMintAnNft (file name UTBExactOutRoutesTestEth2Eth.t.sol) the UTB function swapAndExecute is called as follows:

utb.swapAndExecute(instructions, fees, signature);

The same logic operation can be achieved by the following code:

SwapInstructions memory swapInstructions =
SwapInstructions({swapperId: swapper.getId(), swapPayload: abi.encode(swapParams, address(utb), refund)});

utb.receiveFromBridge(swapInstructions, address(cat), address(cat), abi.encodeCall(cat.mintWithUsdc, (bob)), refund);

which calls the public function with no modifier check.

Tools Used

Foundry

Add the modifier retrieveAndCollectFees for the function receiveFromBridge

Assessed type

Other

#0 - c4-pre-sort

2024-01-25T20:58:39Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort

2024-01-25T20:58:45Z

raymondfam marked the issue as duplicate of #15

#2 - c4-judge

2024-02-03T12:13:49Z

alex-ppg marked the issue as satisfactory

#3 - c4-judge

2024-02-03T12:13:54Z

alex-ppg marked the issue as partial-75

#4 - alex-ppg

2024-02-03T12:14:11Z

The submission has been graded as 75% due to mentioning an incorrect alleviation.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter