Back to 8olidity's contests

Caviar contest - 8olidity's results

A fully on-chain NFT AMM that allows you to trade every NFT in a collection.

General Information

Platform: Code4rena

Start Date: 12/12/2022

Pot Size: $36,500 USDC

Total HM: 8

Participants: 103

Period: 7 days

Judge: berndartmueller

Id: 193

League: ETH

Caviar

Findings Distribution

Researcher Performance

Rank: 26/103

Findings: 2

Award: $234.49

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCaviar

Findings Information

🌟 Selected for report: obront

Also found by: 0xmuxyz, 8olidity, CRYP70, Tricko, cozzetti, cryptostellar5, koxuan, ktg, ladboy233, yixxas

Labels

bug
2 (Med Risk)
satisfactory
duplicate-141

Awards

184.3311 USDC - $184.33

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-caviar/blob/main/src/Pair.sol#L390-L392

Vulnerability details

Impact

When computing the price, the baseTokenReserves are multiplied by the hardcoded ONE. Then divide by fractionalTokenReserves(). Both ONE and fractionalToken have a precision of 18. But there are no special requirements for the accuracy of the basetoken. Add basetoken as usdt. The precision is 6. Then the result of the price() function will be too small. may also be 0

Proof of Concept

    function price() public view returns (uint256) {
        return (_baseTokenReserves() * ONE) / fractionalTokenReserves(); //@audit 
    }

Tools Used

vscode

The decimals of the basetoken are required to be 18

#0 - c4-judge

2022-12-28T15:37:19Z

berndartmueller marked the issue as duplicate of #53

#1 - c4-judge

2023-01-10T09:31:40Z

berndartmueller marked the issue as satisfactory

#2 - C4-Staff

2023-01-25T12:23:07Z

CloudEllie marked the issue as duplicate of #141

Findings Information

🌟 Selected for report: 0xSmartContract

Also found by: 0xGusMcCrae, 8olidity, Bnke0x0, IllIllI, JC, RaymondFam, Rolezn, SleepingBugs, UNCHAIN, ahayashi, aviggiano, caventa, cozzetti, h0wl, helios, immeas, ladboy233, minhquanym, obront, rjs, rvierdiiev, shung, unforgiven, yixxas

Awards

50.16 USDC - $50.16

Labels

bug
downgraded by judge
grade-b
QA (Quality Assurance)
Q-11

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-caviar/blob/main/src/Pair.sol#L463-L472

Vulnerability details

Impact

_validateTokenIds() does not check the length of the incoming tokenIds and proofs arrays.The length of proofs array may be less than the length of tokenIds

Proof of Concept

    function _validateTokenIds(uint256[] calldata tokenIds, bytes32[][] calldata proofs) internal view {//@audit  
        // if merkle root is not set then all tokens are valid
        if (merkleRoot == bytes23(0)) return;

        // validate merkle proofs against merkle root
        for (uint256 i = 0; i < tokenIds.length; i++) {
            bool isValid = MerkleProofLib.verify(proofs[i], merkleRoot, keccak256(abi.encodePacked(tokenIds[i])));
            require(isValid, "Invalid merkle proof");
        }
    }

Tools Used

vscode

require(tokenIds.length == proofs.length);

#0 - berndartmueller

2022-12-28T11:42:06Z

It is the user's responsibility to ensure the parameters are passed correctly. Additionally, it will revert the transaction anyway due to array out of bounds access.

#1 - c4-judge

2022-12-28T11:42:28Z

berndartmueller changed the severity to QA (Quality Assurance)

#2 - c4-judge

2023-01-16T11:47:07Z

berndartmueller marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter