Back to Apocalypto's contests

Caviar contest - Apocalypto's results

A fully on-chain NFT AMM that allows you to trade every NFT in a collection.

General Information

Platform: Code4rena

Start Date: 12/12/2022

Pot Size: $36,500 USDC

Total HM: 8

Participants: 103

Period: 7 days

Judge: berndartmueller

Id: 193

League: ETH

Caviar

Findings Distribution

Researcher Performance

Rank: 54/103

Findings: 2

Award: $52.93

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCaviar

Findings Information

🌟 Selected for report: minhquanym

Also found by: 0x52, 0xDecorativePineapple, Apocalypto, BAHOZ, ElKu, Franfran, HE1M, Jeiwan, KingNFT, Koolex, SamGMK, Tointer, Tricko, UNCHAIN, __141345__, ak1, aviggiano, bytehat, carrotsmuggler, cccz, chaduke, cozzetti, dipp, eyexploit, fs0c, haku, hansfriese, hihen, immeas, izhelyazkov, koxuan, ladboy233, lumoswiz, rajatbeladiya, rjs, rvierdiiev, seyni, supernova, unforgiven, yixxas

Awards

6.9881 USDC - $6.99

Labels

bug
3 (High Risk)
satisfactory
duplicate-442

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-caviar/blob/0212f9dc3b6a418803dbfacda0e340e059b8aae2/src/Pair.sol#L63-L99 https://github.com/code-423n4/2022-12-caviar/blob/0212f9dc3b6a418803dbfacda0e340e059b8aae2/src/Pair.sol#L417-L427

Vulnerability details

Impact

Creation of the pair does not add initial liquidity which leads to situation where attacker can front-run creator and execute sandwich attack against the creator.

Exploitation Scenario:

  1. Alice creates pair and wants to add liquidity
  2. Bob front-runs Alice's add liquidity and quickly adds his liquidity with 100 ETH and 1 Fractional Tokens which mints 10 LP
  3. Alice adds 100 ETH and 100 Fractional Tokens which gives 10 LP
  4. The pool is 200 ETH and 101 Fractional Tokens
  5. Bob withdraws liquidity with 10 LP gets 100 ETH and 50 Fractional Tokens
  6. Bob just made nice profit

Proof of Concept

Pair.sol:

Tools Used

Manual Review

It is recommended to initialize pair with the liquidity provided by the creator.

#0 - Minh-Trng

2022-12-19T20:58:38Z

If Alice thinks she would be the first to supply she would set the minLPTokenAmount parameter to sqrt(100*100)=100 (because she expects 0 slippage) which would cause her tx to revert

#1 - c4-judge

2022-12-20T14:34:19Z

berndartmueller marked the issue as duplicate of #442

#2 - c4-judge

2023-01-16T11:48:33Z

berndartmueller marked the issue as satisfactory

Findings Information

🌟 Selected for report: Zarf

Also found by: 0xDave, Apocalypto, CRYP70, Franfran, Jeiwan, UNCHAIN, adriro, bytehat, chaduke, hansfriese, hihen, kiki_dev, koxuan, minhtrng, rajatbeladiya, unforgiven, wait, yixxas

Awards

45.9386 USDC - $45.94

Labels

bug
2 (Med Risk)
satisfactory
duplicate-243

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-caviar/blob/main/src/Pair.sol#L406-L409

Vulnerability details

Impact

the implementation of sellQuote follows the logic of getAmountOut from Uniswap V2 Library. However it doesn't add +1 as the original implementation, this could make the function return zero and lead to reverts.

Proof of Concept

https://github.com/code-423n4/2022-12-caviar/blob/main/src/Pair.sol#L406-L409

Tools Used

Manual review

Just add 1 to returning value.

#0 - c4-judge

2022-12-28T12:02:12Z

berndartmueller marked the issue as duplicate of #243

#1 - c4-judge

2023-01-10T09:44:40Z

berndartmueller marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter