Back to 0xfusion's contests

Asymmetry contest - 0xfusion's results

A protocol to help diversify and decentralize liquid staking derivatives.

General Information

Platform: Code4rena

Start Date: 24/03/2023

Pot Size: $49,200 USDC

Total HM: 20

Participants: 246

Period: 6 days

Judge: Picodes

Total Solo HM: 1

Id: 226

League: ETH

Asymmetry Finance

Findings Distribution

Researcher Performance

Rank: 231/246

Findings: 2

Award: $1.89

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAsymmetry Finance

Findings Information

🌟 Selected for report: monrel

Also found by: 0xRajkumar, 0xfusion, AkshaySrivastav, Bahurum, Brenzee, Cryptor, Dug, Haipls, Koolex, Krace, MiloTruck, RaymondFam, RedTiger, ToonVH, Tricko, Vagner, aga7hokakological, anodaram, bart1e, bin2chen, bytes032, carrotsmuggler, ck, d3e4, giovannidisiena, igingu, juancito, mahdirostami, mert_eren, n33k, nemveer, parsely, pavankv, sashik_eth, shaka, sinarette, ulqiorra, yac

Awards

1.7454 USDC - $1.75

Labels

bug
3 (High Risk)
partial-50
upgraded by judge
duplicate-1098

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L111-L121 https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L139-L144 https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L110 https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/SfrxEth.sol#L84 https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/WstEth.sol#L63

Vulnerability details

Impact

SafEth: Using address(this).balance is the wrong way to keep the internal accounting correct. If someone decides to send ETH to the contract, this will lead to wrong calculations inside unstake() and rebalanceToWeights().

Derivatives: This is also valid for the derivatives contracts where every time a withdraw is done, the whole eth balance is sent to the SafEth contract, assuming this is the right amount.

Proof of Concept

In unstake() - https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L111-L121

In rebalanceToWeights() - https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L139-L144

Reth.sol - https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L110

SfrxEth.sol - https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/SfrxEth.sol#L84

WstEth.sol - https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/WstEth.sol#L63

Tools Used

VS Code

Keep the ether balance of the contract in a state variable uint256 ethAmountBalance and update it every time there is inflow and outflow of ETH to the contract. Update uint256 ethAmountBalance in the receive() function of the contract. Other possible solution is to revert() inside the receive() function to prevent any ETH from being sent. However, this will not prevent the case if malicious contract self-destructs and forcibly sends the ETH to the contract

#0 - c4-pre-sort

2023-04-04T13:57:03Z

0xSorryNotSorry marked the issue as duplicate of #454

#1 - c4-judge

2023-04-21T16:21:11Z

Picodes marked the issue as duplicate of #1098

#2 - c4-judge

2023-04-24T20:59:37Z

Picodes marked the issue as partial-50

#3 - c4-judge

2023-04-24T21:39:18Z

Picodes changed the severity to 3 (High Risk)

Findings Information

🌟 Selected for report: HHK

Also found by: 019EC6E2, 0Kage, 0x52, 0xRobocop, 0xTraub, 0xbepresent, 0xepley, 0xfusion, 0xl51, 4lulz, Bahurum, BanPaleo, Bauer, CodeFoxInc, Dug, HollaDieWaldfee, IgorZuk, Lirios, MadWookie, MiloTruck, RedTiger, Ruhum, SaeedAlipoor01988, Shogoki, SunSec, ToonVH, Toshii, UdarTeam, Viktor_Cortess, a3yip6, auditor0517, aviggiano, bearonbike, bytes032, carlitox477, carrotsmuggler, chalex, deliriusz, ernestognw, fs0c, handsomegiraffe, igingu, jasonxiale, kaden, koxuan, latt1ce, m_Rassska, n1punp, nemveer, nowonder92, peanuts, pontifex, roelio, rvierdiiev, shalaamum, shuklaayush, skidog, tank, teddav, top1st, ulqiorra, wait, wen, yac

Awards

0.1353 USDC - $0.14

Labels

bug
3 (High Risk)
satisfactory
duplicate-142

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L171 https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L240

Vulnerability details

Impact

The rethPerEth value is determined by the poolPrice() for rETH. This price is derived by using a single source of truth from the UniswapV3 pool. This provides possibility for the flashLoan attack vector.

Proof of Concept

rethPerEth calculation - https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L171

Obtaining price from pool - https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L240

The attacker can get a flashLoan from the rETH/WETH pool, thus manipulating the value which will be returned from poolPrice() and potentially receiving more safEth tokens.

Tools Used

VS Code

  1. Use an oracle like Chainlink in order to get the price of an asset.

#0 - c4-pre-sort

2023-04-04T11:35:06Z

0xSorryNotSorry marked the issue as duplicate of #601

#1 - c4-judge

2023-04-21T16:14:36Z

Picodes marked the issue as satisfactory

#2 - c4-judge

2023-04-21T16:15:14Z

Picodes marked the issue as duplicate of #1125

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter