Back to 0xhacksmithh's contests

Tigris Trade contest - 0xhacksmithh's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $90,500 USDC

Total HM: 35

Participants: 84

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 12

Id: 192

League: ETH

Tigris Trade

Findings Distribution

Researcher Performance

Rank: 53/84

Findings: 1

Award: $133.36

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTigris Trade

Findings Information

🌟 Selected for report: 0xsomeone

Also found by: 0xhacksmithh, 8olidity, Critical, Ruhum, SamGMK, Secureverse, Tointer, __141345__, aviggiano, rotcivegaf

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
edited-by-warden
duplicate-462

Awards

133.3608 USDC - $133.36

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L44-L51 https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L65-L72

Vulnerability details

Impact

When one token is to collapsed, attacker can front-runned and deposit one token(That about to collapse) and withdraw other token. This senario also possible when 2 token supported by this contract but due to some reason they have price difference between them, so mallicious user take advantage of it deposit less valuable token, withdraw expensive one, that will affect normal users experience.

Proof of Concept

Another Issue here i notice that, after depositing one type token, user can able to withdraw any other type of listed token(because in withdrawing case it only check caller's tigris stable token balance and burn those, in return transfer same amount of listed tokens). May be its a feature.

But As we recently notice many stable coin collapsed (like UST and other), so it may possible that a coin that listed in that platform on the verge of collapse so users may get deposit their token to this platform(contract) in return get other stable token,

Let USDT is about to collapse(Hypothetically) I deposit() 1000 USDT and withdraw out 1000 DAI In this way i'm stealing other users funds

Obviously I notice there is a delisting option delistToken() available for owner to delist a token any time, but that can be front-runned

    function deposit(address _token, uint256 _amount) public {  
        require(allowed[_token], "Token not listed");
        IERC20(_token).transferFrom(_msgSender(), address(this), _amount);
        IERC20Mintable(stable).mintFor(
            _msgSender(),
            _amount*(10**(18-IERC20Mintable(_token).decimals()))
        );
    }

    function withdraw(address _token, uint256 _amount) external returns (uint256 _output) {
        IERC20Mintable(stable).burnFrom(_msgSender(), _amount);
        _output = _amount/10**(18-IERC20Mintable(_token).decimals());
        IERC20(_token).transfer(
            _msgSender(),
            _output
        );
    }

Tools Used

Manual Review

May be you should mint different type of tigris stable token for different type of erc20 like other popular platfoms like aave and many more, or made some logic change

#0 - c4-judge

2022-12-20T16:12:36Z

GalloDaSballo marked the issue as duplicate of #462

#1 - c4-judge

2022-12-20T16:13:17Z

GalloDaSballo changed the severity to 3 (High Risk)

#2 - c4-judge

2023-01-22T17:36:55Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter