Back to Cryptor's contests

Caviar Private Pools - Cryptor's results

A fully on-chain NFT AMM that allows you to trade every NFT in a collection.

General Information

Platform: Code4rena

Start Date: 07/04/2023

Pot Size: $47,000 USDC

Total HM: 20

Participants: 120

Period: 6 days

Judge: GalloDaSballo

Total Solo HM: 4

Id: 230

League: ETH

Caviar

Findings Distribution

Researcher Performance

Rank: 88/120

Findings: 1

Award: $23.08

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCaviar

Findings Information

🌟 Selected for report: sashik_eth

Also found by: 0x4non, 0x6980, 0xAgro, Cryptor, Kaysoft, Kenshin, Madalad, SaeedAlipoor01988, Sathish9098, W0RR1O, adriro, ayden, btk, catellatech, codeslide, devscrooge, georgits, giovannidisiena, lukris02, matrix_0wl, sayan, tnevler, tsvetanovv

Awards

23.0813 USDC - $23.08

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
edited-by-warden
duplicate-167

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L534-L545 https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L229-L231

Vulnerability details

Impact

The protocol allow the owner to set the uint128 variable VirtualBaseTokenReserves. This variable represents the amount of BaseTokens available to be used in the protocol. The owner can set this variable to be as high as possible. The problem with this however, is that the function buy adds the amount of base tokens to the variable VirtualBaseTokenReserves. So it is possible that VirtualBaseTokenReserves will overflow, causing the buy function to revert.

Proof of Concept

The function setVirtualReserves allows an owner of a private pool to set the virtual reserves of a pool shown here

https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L538-L545

The owner set this to any uint128 number, including the max uint128 amount

Also, consider the buy function which allows a user to buy, and when he does whatever base tokens that he used to buy nfts is added to VirtualBaseTokenReserves.

https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L229-L231

This creates a problem where say an owner sets the virtualreserves to type(uint128).max, and subsequently a user calls the function buy. Any input amount greater than 0 will cause VirtualBaseTokenReserves to overflow, causing the buy function to revert.

Tools Used

Manual Review

A possible mitigation would be to add a requirement to not add to VirtualTokenbaseReserves if it going to overflow.

#0 - c4-pre-sort

2023-04-20T18:40:20Z

0xSorryNotSorry marked the issue as duplicate of #167

#1 - c4-judge

2023-05-02T07:55:16Z

GalloDaSballo changed the severity to 3 (High Risk)

#2 - c4-judge

2023-05-02T07:56:03Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter