Open Dollar - Bughunter101's results

A floating $1.00 pegged stablecoin backed by Liquid Staking Tokens with NFT controlled vaults.

General Information

Platform: Code4rena

Start Date: 18/10/2023

Pot Size: $36,500 USDC

Total HM: 17

Participants: 77

Period: 7 days

Judge: MiloTruck

Total Solo HM: 5

Id: 297

League: ETH

Open Dollar

Findings Distribution

Researcher Performance

Rank: 46/77

Findings: 2

Award: $45.44

QA:

grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Open Dollar

Findings Information

🌟 Selected for report: MrPotatoMagic

Also found by: Bughunter101, COSMIC-BEE-REACH, HChang26, Stormreckson, T1MOH, Tendency, hals, josephdara, klau5, merlin, tnquanghuy0512, twcctop

Labels

bug

2 (Med Risk)

satisfactory

sufficient quality report

duplicate-171

Awards

37.1417 USDC - $37.14

External Links

Link to GitHub issue

Lines of code

https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/proxies/ODSafeManager.sol#L105

Vulnerability details

Impact

allowSAFE() function dose not check the msg.sender == _safeData[_safe].owner, it may cause the owner loses control Assume the following scenario:

Alice is the owner. She calls allowSAFE() to make Bob a safeCan user.
Alice wants to cancel Bob’s safeCan permissions
However, before Alice calls the cancel function, Bob can add safeCan permission to another account (we assume Bob’s other account is called Car) by calling allowSAFE(), without Alice knowing.
Finally, even if Alice cancels Bob's permissions, Bob can still exercise privileges through the Car account

Proof of Concept

  function allowSAFE(uint256 _safe, address _usr, uint256 _ok) external safeAllowed(_safe) {
    address _owner = _safeData[_safe].owner;
    safeCan[_owner][_safe][_usr] = _ok;
    emit AllowSAFE(msg.sender, _safe, _usr, _ok);
  }

Tools Used

manual

Recommended Mitigation Steps

I suggest adding check msg.sender == _safeData[_safe].owner to ensure only the owner is allowed to call this function

Assessed type

Access Control

#0 - c4-pre-sort
2023-10-26T04:45:17Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort
2023-10-26T04:45:36Z

raymondfam marked the issue as duplicate of #171

#2 - c4-judge
2023-11-02T08:44:24Z

MiloTruck marked the issue as satisfactory

Findings Information

🌟 Selected for report: MrPotatoMagic

Also found by: 0xMosh, 0xPsuedoPandit, 0xhacksmithh, 8olidity, Al-Qa-qa, Baki, Bughunter101, Krace, Stormreckson, T1MOH, Tendency, eeshenggoh, fibonacci, hals, immeas, kutugu, lsaudit, m4k2, mrudenko, okolicodes, phoenixV110, spark, twicek, xAriextz

Awards

8.3007 USDC - $8.30

Labels

bug

grade-b

low quality report

QA (Quality Assurance)

Q-17

External Links

Link to GitHub issue

(non-critical) `deployCamelotRelayer()` does not check if whether the address is repeated or whether it already exists.

https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/factories/CamelotRelayerFactory.sol#L23

deployCamelotRelayer() does not check if whether the address is repeated or whether it already exists.It will cause waste of calling. I sugguest add check.

(non-critical) `openSAFE()` The function allows anyone to call it, which may lead to the proliferation of `vault721`

I suggest adding permission checks to only allow specific controller calls to prevent vault721 flooding

  /// @inheritdoc IODSafeManager
  function openSAFE(bytes32 _cType, address _usr) external returns (uint256 _id) {
    if (_usr == address(0)) revert ZeroAddress();

    ++_safeId;
    address _safeHandler = address(new SAFEHandler(safeEngine));

    _safeData[_safeId] = SAFEData({owner: _usr, safeHandler: _safeHandler, collateralType: _cType});

    _usrSafes[_usr].add(_safeId);
    _usrSafesPerCollat[_usr][_cType].add(_safeId);

    vault721.mint(_usr, _safeId);//@audit

    emit OpenSAFE(msg.sender, _usr, _safeId);
    return _safeId;
  }

#0 - c4-pre-sort
2023-10-27T01:03:16Z

raymondfam marked the issue as low quality report

#1 - c4-judge
2023-11-03T16:55:31Z

MiloTruck marked the issue as grade-c

#2 - c4-judge
2023-11-03T18:00:43Z

MiloTruck marked the issue as grade-b

Open Dollar - Bughunter101's results

A floating $1.00 pegged stablecoin backed by Liquid Staking Tokens with NFT controlled vaults.

General Information

Findings Distribution

Researcher Performance

External Links

[M-12] `allowSAFE()` function dose not check the `msg.sender == _safeData[_safe].owner` - $37.14

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-10-26T04:45:17Z

#1 - c4-pre-sort2023-10-26T04:45:36Z

#2 - c4-judge2023-11-02T08:44:24Z

[Q-17] QA Report - $8.30

Findings Information

Awards

Labels

External Links

(non-critical) deployCamelotRelayer() does not check if whether the address is repeated or whether it already exists.

(non-critical) openSAFE() The function allows anyone to call it, which may lead to the proliferation of vault721

#0 - c4-pre-sort2023-10-27T01:03:16Z

#1 - c4-judge2023-11-03T16:55:31Z

#2 - c4-judge2023-11-03T18:00:43Z

#0 - c4-pre-sort
2023-10-26T04:45:17Z

#1 - c4-pre-sort
2023-10-26T04:45:36Z

#2 - c4-judge
2023-11-02T08:44:24Z

(non-critical) `deployCamelotRelayer()` does not check if whether the address is repeated or whether it already exists.

(non-critical) `openSAFE()` The function allows anyone to call it, which may lead to the proliferation of `vault721`

#0 - c4-pre-sort
2023-10-27T01:03:16Z

#1 - c4-judge
2023-11-03T16:55:31Z

#2 - c4-judge
2023-11-03T18:00:43Z