Althea Liquid Infrastructure - AM's results

Liquid Infrastructure.

General Information

Platform: Code4rena

Start Date: 13/02/2024

Pot Size: $24,500 USDC

Total HM: 5

Participants: 84

Period: 6 days

Judge: 0xA5DF

Id: 331

League: ETH

Althea

Findings Distribution

Researcher Performance

Rank: 53/84

Findings: 1

Award: $25.73

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Althea

Findings Information

🌟 Selected for report: nuthan2x

Also found by: 0x0bserver, AM, CaeraDenoir, DanielArmstrong, JrNet, Kirkeelee, KmanOfficial, Krace, Limbooo, Meera, SovaSlava, SpicyMeatball, TheSavageTeddy, agadzhalov, aslanbek, atoko, csanuragjain, d3e4, imare, jesjupyter, juancito, kartik_giri_47538, kutugu, max10afternoon, offside0011, pkqs90, turvy_fuzz, xchen1130, zhaojohnson, ziyou-

Awards

25.7286 USDC - $25.73

Labels

bug

2 (Med Risk)

downgraded by judge

satisfactory

edited-by-warden

duplicate-87

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/bd6ee47162368e1999a0a5b8b17b701347cf9a7d/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L441-L445 https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/bd6ee47162368e1999a0a5b8b17b701347cf9a7d/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L221

Vulnerability details

In contract LiquidInfrastructureERC20 in function setDistrbutableERC20s, the owner can overwrite the list of ERC20s that have entitlements to be sent to holders. There are two issues here:

the setDistrbutableERC20s is not using the LockedForDistribution flag, meaning the array can be overwritten during an ongoing distribution
the setDistrbutableERC20s can be wrongly called before a distribution happened locking the corresponding ercs

Impact

It leads to locked funds and unsent entitlements and can disrupt ongoing distributions due to lack of lock while updating the array of distributable ercs

Proof of Concept

Tools Used

Manual review

Recommended Mitigation Steps

Use the LockedForDistribution flag to make sure the values can't be overwritten during an ongoing distribution

    function setDistributableERC20s(
        address[] memory _distributableERC20s
    ) public onlyOwner {
        require(LockedForDistribution, "distribution ongoing");
        distributableERC20s = _distributableERC20s;
    }

Determine if a distribution happened and no ercs are left in the contract before calling the setDistrbutableERC20s to overwrite the distributableERC20s

Assessed type

Other

#0 - c4-pre-sort
2024-02-20T05:23:09Z

0xRobocop marked the issue as duplicate of #260

#1 - c4-judge
2024-03-04T15:27:44Z

0xA5DF marked the issue as satisfactory

#2 - c4-judge
2024-03-08T15:26:19Z

0xA5DF changed the severity to 2 (Med Risk)

Althea Liquid Infrastructure - AM's results

Liquid Infrastructure.

General Information

Findings Distribution

Researcher Performance

External Links

[M-03] Overwritting before or while the distribution sends entitlement - $25.73

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2024-02-20T05:23:09Z

#1 - c4-judge2024-03-04T15:27:44Z

#2 - c4-judge2024-03-08T15:26:19Z

#0 - c4-pre-sort
2024-02-20T05:23:09Z

#1 - c4-judge
2024-03-04T15:27:44Z

#2 - c4-judge
2024-03-08T15:26:19Z