Back to 0xleadwizard's contests

Munchables - 0xleadwizard's results

A web3 point farming game in which Keepers nurture creatures to help them evolve, deploying strategies to earn them rewards in competition with other players.

General Information

Platform: Code4rena

Start Date: 22/05/2024

Pot Size: $20,000 USDC

Total HM: 6

Participants: 126

Period: 5 days

Judge: 0xsomeone

Total Solo HM: 1

Id: 379

League: ETH

Munchables

Findings Distribution

Researcher Performance

Rank: 43/126

Findings: 2

Award: $0.02

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMunchables

Findings Information

🌟 Selected for report: SpicyMeatball

Also found by: 0rpse, 0xMosh, 0xblack_bird, 0xdice91, 0xhacksmithh, 0xleadwizard, 0xmystery, Audinarey, AvantGard, Bigsam, Dots, EPSec, Eeyore, Janio, Limbooo, LinKenji, Mahmud, MrPotatoMagic, Myd, Oxsadeeq, Sabit, SovaSlava, Stefanov, Tychai0s, Utsav, Varun_05, Walter, adam-idarrha, ahmedaghadi, araj, aslanbek, ayden, bigtone, c0pp3rscr3w3r, carrotsmuggler, crypticdefense, dhank, fyamf, gajiknownnothing, gavfu, itsabinashb, jasonxiale, joaovwfreire, ke1caM, leegh, merlinboii, mitko1111, n4nika, pfapostol, prapandey031, rouhsamad, sandy, snakeeaterr, stakog, steadyman, swizz, tedox, th3l1ghtd3m0n, trachev, turvy_fuzz, xyz, yashgoel72, zhaojohnson

Awards

0.0105 USDC - $0.01

Labels

bug
3 (High Risk)
partial-75
sufficient quality report
:robot:_03_group
duplicate-7

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L256-L268

Vulnerability details

Impact

Users can change the lock duration to a shorter duration, which is unintended.

Proof of Concept

Before changing the lock duration, it is checked that duration + block.timestamp >= unlockTime, This is so that the user can't set a duration that unlocks before the previous lock.

// check they are not setting lock time before current unlocktime
 if (
     uint32(block.timestamp) + uint32(_duration) <
     lockedTokens[msg.sender][tokenContract].unlockTime
 ) {
     revert LockDurationReducedError();
 }

But while updating the lock duration, lastLockTime instead of block.timestamp is used which makes the previous check ineffective.


uint32 lastLockTime = lockedTokens[msg.sender][tokenContract]
    .lastLockTime;
lockedTokens[msg.sender][tokenContract].unlockTime =
    lastLockTime +
    uint32(_duration);

Example:

  1. User creates a lock for a token, where unlockTime = 1000 and block.timestamp = 0 = lastLockTime
  2. Now block.timestamp is 500, User calls setLockDuration with duration = 501, the check will pass since (500 + 501 >= 1000), then the unlockTime will be set to 0 + 501 = 501
  3. So user will be able to unlock in the next block

Use the below snippet here

lockedTokens[msg.sender][tokenContract].unlockTime =
    block.timestamp +
    uint32(_duration);

Assessed type

Invalid Validation

#0 - c4-judge

2024-06-04T12:40:55Z

alex-ppg marked the issue as duplicate of #89

#1 - c4-judge

2024-06-05T12:53:43Z

alex-ppg marked the issue as partial-75

Findings Information

🌟 Selected for report: robertodf99

Also found by: 0xAadi, 0xAkira, 0xdice91, 0xhacksmithh, 0xleadwizard, AgileJune, Bauchibred, Bbash, Beosin, Bigsam, Dots, EPSec, EaglesSecurity, Eeyore, Evo, John_Femi, Mahmud, MrPotatoMagic, RotiTelur, Rushkov_Boyan, Sabit, Sentryx, Stormreckson, Topmark, Tychai0s, Utsav, Walter, ZanyBonzy, ZdravkoHr, adam-idarrha, araj, aslanbek, avoloder, bigtone, brevis, brgltd, carrotsmuggler, crypticdefense, dd0x7e8, dhank, djanerch, falconhoof, iamandreiski, joaovwfreire, leegh, merlinboii, mitko1111, pamprikrumplikas, pfapostol, prapandey031, swizz, trachev, twcctop, typicalHuman, unique, xyz

Awards

0.0148 USDC - $0.01

Labels

bug
2 (Med Risk)
satisfactory
sufficient quality report
:robot:_11_group
duplicate-495

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L177-L207 https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L210-L242

Vulnerability details

Impact

There is inconsistency in validation between approving & disapproving the proposed price.

Proof of Concept

While disapproving a proposal, whether the same user has approved the same proposal or not is checked

if (usdUpdateProposal.approvals[msg.sender] == _usdProposalId)
    revert ProposalAlreadyApprovedError();
if (usdUpdateProposal.disapprovals[msg.sender] == _usdProposalId)
    revert ProposalAlreadyDisapprovedError();

But when approving the proposal, no check is there for whether the same user has disapproved it or not.

if (usdUpdateProposal.approvals[msg.sender] == _usdProposalId)
    revert ProposalAlreadyApprovedError();

Perform the below check in approveUSDPrice

if (usdUpdateProposal.disapprovals[msg.sender] == _usdProposalId)
    revert ProposalAlreadyDisapprovedError();

Assessed type

Invalid Validation

#0 - c4-judge

2024-06-05T12:42:40Z

alex-ppg marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter