Back to Chom's contests

veToken Finance contest - Chom's results

Lock more veAsset permanently.

General Information

Platform: Code4rena

Start Date: 26/05/2022

Pot Size: $75,000 USDT

Total HM: 31

Participants: 71

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 18

Id: 126

League: ETH

veToken Finance

Findings Distribution

Researcher Performance

Rank: 58/71

Findings: 1

Award: $99.89

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryveToken Finance

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xf15ers, BouSalman, Chom, Deivitto, Dravee, ElKu, FSchmoede, Funen, GimelSec, Hawkeye, MiloTruck, Picodes, SecureZeroX, SmartSek, TerrierLover, WatchPug, _Adam, asutorufos, berndartmueller, c3phas, catchup, cccz, cogitoergosumsw, cryptphi, csanuragjain, delfin454000, dipp, ellahi, gzeon, hansfriese, horsefacts, hyh, kirk-baird, minhquanym, oyc_109, pauliax, reassor, robee, sashik_eth, shenwilly, simon135, sorrynotsorry, sseefried, unforgiven, xiaoming90, z3s

Awards

99.8852 USDT - $99.89

Labels

bug
duplicate
QA (Quality Assurance)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/VeAssetDepositor.sol#L102-L109

Vulnerability details

Impact

uint256 unlockInWeeks = (unlockAt / WEEK) * WEEK; is in seconds (Rounded by seconds in 1 week) instead of weeks

Causing unlockTime logic to be broken

For example unlockInWeeks.sub(unlockTime) is 7 * 86400 when the time has passed by 1 week instead of 1

Proof of Concept

uint256 unlockInWeeks = (unlockAt / WEEK) * WEEK;

unlockAt is in seconds WEEK is in seconds / week (seconds in 1 week)

(unlockAt / WEEK) * WEEK has unit (seconds / (seconds/week)) * (seconds/week) = seconds

Can be proven by this example

image

Epoch timestamp: 1654189731 Date and time (GMT): Thursday, June 2, 2022 17:08:51 (unlockAt / WEEK) * WEEK = 1654128000 store this value to unlockTime

Pass time by 7 days = 1 week

Epoch timestamp: 1654794531 Date and time (GMT): Thursday, June 9, 2022 17:08:51 (unlockAt / WEEK) * WEEK = 1654732800

unlockInWeeks.sub(unlockTime) = 1654732800 - 1654128000 = 604800 = 7 * 86400

But we expect unlockInWeeks.sub(unlockTime) to be 1 as time is passed by 1 week Instead we got 7 * 86400 Which is wrong

Tools Used

  • Scan code by eye
  • Python CLI to proof of concept

uint256 unlockInWeeks = (unlockAt / WEEK);

Please don't multiply by WEEK again

#0 - solvetony

2022-06-15T17:16:23Z

Duplicate of #149

#1 - GalloDaSballo

2022-07-20T00:01:16Z

Dup of #149

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter