Back to ACai's contests

Rubicon contest - ACai's results

An order book protocol for Ethereum, built on L2s.

General Information

Platform: Code4rena

Start Date: 23/05/2022

Pot Size: $50,000 USDC

Total HM: 44

Participants: 99

Period: 5 days

Judge: hickuphh3

Total Solo HM: 11

Id: 129

League: ETH

Rubicon

Findings Distribution

Researcher Performance

Rank: 81/99

Findings: 2

Award: $52.14

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRubicon

Findings Information

🌟 Selected for report: berndartmueller

Also found by: 0x1f8b, 0xDjango, 0xsomeone, ACai, Bahurum, BouSalman, CertoraInc, Deivitto, Dravee, GimelSec, IllIllI, JMukesh, Kaiziron, PP1004, Ruhum, SmartSek, VAD37, WatchPug, _Adam, aez121, antonttc, blockdev, broccolirob, camden, cccz, cryptphi, defsec, dipp, ellahi, fatherOfBlocks, gzeon, horsefacts, ilan, jayjonah8, joestakey, kenta, kenzo, minhquanym, oyc_109, pauliax, pedroais, peritoflores, sashik_eth, shenwilly, simon135, throttle, xiaoming90, z3s

Awards

0.1022 USDC - $0.10

Labels

bug
duplicate
2 (Med Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L202-L206 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L251 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L274 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L303 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L320 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L348 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L366 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L377 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L406 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L419 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L471 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L486 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L601 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L615

Vulnerability details

Impact

Lack of the check to the return value of the transfer function. In some ERC20 token, fail of the transfer operation may not raise a revert, but return a false.

Proof of Concept

In the RubiconRouter.sol

swap #202

_swap #251

swapEntireBalance #274

maxBuyAllAmount #303

maxSellAllAmount #320

buyAllAmountWithETH #348

buyAllAmountForETH #366 374 377

offerWithETH #406

offerForETH #419

depositWithETH #471

withdrawForETH #486

In the BathPair.sol

strategistBootyClaim #601 615

Tools Used

Change the code to require(token.transferFrom(a, b, c)); and require(token.transfer(a, b));

#0 - bghughes

2022-06-03T21:45:16Z

Duplicate of #316

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1337, 0x1f8b, 0x4non, 0xDjango, 0xKitsune, 0xNazgul, 0xf15ers, ACai, AlleyCat, Bahurum, BouSalman, CertoraInc, Chom, Dravee, ElKu, FSchmoede, Funen, GimelSec, Hawkeye, JC, JMukesh, Kaiziron, MaratCerby, Metatron, PP1004, Picodes, Ruhum, SmartSek, StErMi, TerrierLover, UVvirus, UnusualTurtle, WatchPug, Waze, _Adam, asutorufos, berndartmueller, blackscale, blockdev, broccolirob, c3phas, catchup, cryptphi, csanuragjain, defsec, delfin454000, dipp, eccentricexit, ellahi, fatherOfBlocks, gzeon, hansfriese, horsefacts, hubble, ilan, joestakey, kebabsec, minhquanym, oyc_109, parashar, pauliax, rotcivegaf, sach1r0, sashik_eth, shenwilly, simon135, sorrynotsorry, sseefried, throttle, unforgiven, xiaoming90

Awards

52.0353 USDC - $52.04

Labels

bug
QA (Quality Assurance)
sponsor disputed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L171-L177 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L208-214 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L229-235 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L280-286 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L510-516 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L530-544

Vulnerability details

Impact

If the user sets expectedMarketFeeBPS == 10000, they will lose double the pay_amt amount and gain nothing.

Proof of Concept

In RubiconRouter.sol (Line 171-177, 229-235),uint256 _pay would be 0 if the the user sets expectedMarketFeeBPS == 10000. This problem infulence these functions: getExpectedSwapFill, swap, _swap, swapEntireBalance, swapWithETH, swapForETH.

Tools Used

Check the value of expectedMarketFeeBPS to make sure it's within a reasonable range.

#0 - bghughes

2022-06-04T21:00:52Z

Disagree, decision should be made off chain

#1 - HickupHH3

2022-06-18T04:42:08Z

Doesn't explain further the impact of having _pay = 0. Downgrading to QA.

#2 - HickupHH3

2022-06-18T07:02:36Z

part of warden's QA report: #242

#3 - HickupHH3

2022-06-25T03:10:23Z

This will be the warden's primary report as the other was invalidated

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter