Platform: Code4rena
Start Date: 24/03/2022
Pot Size: $75,000 USDC
Total HM: 15
Participants: 59
Period: 7 days
Judge: gzeon
Id: 103
League: ETH
Rank: 22/59
Findings: 2
Award: $986.27
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: kirk-baird
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/AnyswapFacet.sol#L35-L66
Without the whitelist and lock, this contract has potential reentrancy vulnerability.
startBridgeTokensViaAnyswap does not perform a whitelist judgment on the token address, and the contract does not have a reentrant lock. At LibAsset.transferFromERC20, an attacker can custom construct a malicious transferFrom function of ERC20 contract to perform a reentrancy attack on the startBridgeTokensViaAnyswap contract.
#0 - H3xept
2022-04-11T12:26:01Z
Duplicate of #109
#1 - gzeoneth
2022-04-16T16:47:13Z
While the reentrancy is valid there are no exploit, changing to Med Risk.
🌟 Selected for report: Dravee
Also found by: 0v3rf10w, 0xDjango, 0xNazgul, 0xkatana, ACai, CertoraInc, FSchmoede, Funen, Hawkeye, IllIllI, Jujic, Kenshin, PPrieditis, Picodes, SolidityScan, TerrierLover, Tomio, WatchPug, catchup, csanuragjain, defsec, dimitri, hake, hickuphh3, kenta, minhquanym, obront, peritoflores, rayn, rfa, robee, saian, samruna, tchkvsky, teryanarmen, ych18
61.5429 USDC - $61.54
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/AnyswapFacet.sol#L35 https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/AnyswapFacet.sol#L74-L78
AnyswapFacet.swapAndStartBridgeTokensViaAnyswap and AnyswapFacet.startBridgeTokensViaAnyswap can be change from "public" to "external"
#0 - H3xept
2022-04-08T15:07:24Z
Duplicate of #197