Back to 2997ms's contests

Inverse Finance contest - 2997ms's results

Rethink the way you borrow.

General Information

Platform: Code4rena

Start Date: 25/10/2022

Pot Size: $50,000 USDC

Total HM: 18

Participants: 127

Period: 5 days

Judge: 0xean

Total Solo HM: 9

Id: 175

League: ETH

Inverse Finance

Findings Distribution

Researcher Performance

Rank: 9/127

Findings: 1

Award: $3,397.85

🌟 Selected for report: 1

🚀 Solo Findings: 1

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryInverse Finance

Findings Information

🌟 Selected for report: 2997ms

Labels

bug
2 (Med Risk)
satisfactory
sponsor acknowledged
selected for report
M-01

Awards

3397.8465 USDC - $3,397.85

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L205 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L280 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L399 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L537 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L570 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L602

Vulnerability details

Impact

ERC20 implementations are not always consistent. Some implementations of transfer and transferFrom could return ‘false’ on failure instead of reverting. It is safer to wrap such calls into require() statements to these failures.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L205 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L280 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L399 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L537 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L570 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L602

Tools Used

Read the codes

Check the return value and revert on 0/false or use OpenZeppelin’s SafeERC20 wrapper functions

#0 - c4-judge

2022-11-05T16:26:37Z

0xean marked the issue as duplicate

#1 - Simon-Busch

2022-12-05T15:16:15Z

Marked satisfactory as requested by @0xean

#2 - c4-judge

2022-12-06T14:37:17Z

0xean marked the issue as not a duplicate

#3 - c4-sponsor

2022-12-14T14:47:13Z

08xmt marked the issue as sponsor acknowledged

#4 - 08xmt

2022-12-14T14:48:05Z

Every deployment of a market will use a trusted token, and be audited by the DAO and governance. Even when using safe transfer, there's no guarantee that an ERC20 token will behave as expected.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter