Back to AgileJune's contests

Munchables - AgileJune's results

A web3 point farming game in which Keepers nurture creatures to help them evolve, deploying strategies to earn them rewards in competition with other players.

General Information

Platform: Code4rena

Start Date: 22/05/2024

Pot Size: $20,000 USDC

Total HM: 6

Participants: 126

Period: 5 days

Judge: 0xsomeone

Total Solo HM: 1

Id: 379

League: ETH

Munchables

Findings Distribution

Researcher Performance

Rank: 112/126

Findings: 1

Award: $0.01

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMunchables

Findings Information

🌟 Selected for report: robertodf99

Also found by: 0xAadi, 0xAkira, 0xdice91, 0xhacksmithh, 0xleadwizard, AgileJune, Bauchibred, Bbash, Beosin, Bigsam, Dots, EPSec, EaglesSecurity, Eeyore, Evo, John_Femi, Mahmud, MrPotatoMagic, RotiTelur, Rushkov_Boyan, Sabit, Sentryx, Stormreckson, Topmark, Tychai0s, Utsav, Walter, ZanyBonzy, ZdravkoHr, adam-idarrha, araj, aslanbek, avoloder, bigtone, brevis, brgltd, carrotsmuggler, crypticdefense, dd0x7e8, dhank, djanerch, falconhoof, iamandreiski, joaovwfreire, leegh, merlinboii, mitko1111, pamprikrumplikas, pfapostol, prapandey031, swizz, trachev, twcctop, typicalHuman, unique, xyz

Awards

0.0148 USDC - $0.01

Labels

bug
2 (Med Risk)
satisfactory
sufficient quality report
:robot:_11_group
duplicate-495

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L177-L242

Vulnerability details

Impact

The price can be disapproved, but it's correct price which is intended to be approved by more than APPROVE_THRESHOLD(=3)

Proof of Concept

There are 5 roles to approve/disapprove the proposed price. If at least 3 roles approve or disapprove to assess the proposed price. Through inspect of approve, disapprove functions, approved user can't disapprove the price again, but user who did already disapprove can approve the price again. So it means that user feels his previous disapproving decision is not correct, and changed his assessment result as approvement, but at this time, usdUpdateProposal.disapprovals[msg.sender] is not cleared and disapprovalsCount is not deducted according to it. So it cause disapprovalsCount is remained unchanged. If another role disapproves the price, proposed price is not accepted as result.

ex: role1 proposed price X -- approvalsCount = 1, disapprovalsCount = 0 role2 disapprove -- approvalsCount = 1, disapprovalsCount = 1 role3 disapprove -- approvalsCount = 1, disapprovalsCount = 2 role3 approve -- approvalsCount = 2, disapprovalsCount = 2 role4 disapprove -- approvalsCount = 2, disapprovalsCount = 3

Without role5's assessment, the price can be rejected.

Tools Used

Manual review

add the below checker in approve() function

        if (usdUpdateProposal.disapprovals[msg.sender] == _usdProposalId)
            revert ProposalAlreadyDisapprovedError();

Assessed type

Other

#0 - c4-judge

2024-06-05T12:42:42Z

alex-ppg marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter