Back to 404Notfound's contests

Basin - 404Notfound's results

A composable EVM-native decentralized exchange protocol.

General Information

Platform: Code4rena

Start Date: 03/07/2023

Pot Size: $40,000 USDC

Total HM: 14

Participants: 74

Period: 7 days

Judge: alcueca

Total Solo HM: 9

Id: 259

League: ETH

Basin

Findings Distribution

Researcher Performance

Rank: 72/74

Findings: 1

Award: $6.07

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBasin

Findings Information

🌟 Selected for report: 0xprinc

Also found by: 0x11singh99, 0xAnah, 0xWaitress, 0xkazim, 2997ms, 33audits, 404Notfound, 8olidity, CRIMSON-RAT-REACH, CyberPunks, DanielWang888, Deekshith99, Eeyore, Eurovickk, Inspecktor, JGcarv, John, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Qeew, QiuhaoLi, Rolezn, TheSavageTeddy, Topmark, Trust, Udsen, a3yip6, alexzoid, bigtone, codegpt, erebus, fatherOfBlocks, ginlee, glcanvas, hunter_w3b, josephdara, kaveyjoe, kutugu, mahdirostami, max10afternoon, oakcobalt, peanuts, pfapostol, ptsanev, qpzm, radev_sw, ravikiranweb3, sces60107, seth_lawson, te_aut, twcctop, zhaojie, ziyou-

Awards

6.0655 USDC - $6.07

Labels

bug
grade-b
low quality report
QA (Quality Assurance)
Q-35

External Links

Link to GitHub issue

Missing validation of the pump length in firstPump()

Proof of Concept

The firstPump() function is called by the _updatePumps(), which will check carefully if the pump length equals 1.

    function _updatePumps(uint256 _numberOfTokens) internal returns (uint256[] memory reserves) {
        reserves = _getReserves(_numberOfTokens);

        if (numberOfPumps() == 0) {
            return reserves;
        }

        // gas optimization: avoid looping if there is only one pump
        if (numberOfPumps() == 1) {
            Call memory _pump = firstPump();

However, the firstPump() is a public function that can be directly called by other contracts, if the pump length is zero, an invalid pump will be returned. https://github.com/code-423n4/2023-07-basin/blob/e1b03e74a87954892ff8c32dfd647972ec6e6a8f/src/Well.sol#L172-L178

Check if the pump length is over zero.

    function firstPump() public pure returns (Call memory _pump) {
        if (numberOfPumps() == 0) return _pumps;
        uint256 dataLoc = LOC_VARIABLE + numberOfTokens() * ONE_WORD + wellFunctionDataLength();
        _pump.target = _getArgAddress(dataLoc);
        uint256 pumpDataLength = _getArgUint256(dataLoc + PACKED_ADDRESS);
        _pump.data = _getArgBytes(dataLoc + ONE_WORD_PLUS_PACKED_ADDRESS, pumpDataLength);
    }

#0 - c4-pre-sort

2023-07-13T14:47:06Z

141345 marked the issue as high quality report

#1 - c4-pre-sort

2023-07-14T05:52:49Z

141345 marked the issue as low quality report

#2 - c4-judge

2023-08-04T21:22:06Z

alcueca marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter