Back to Czar102's contests

Infinity NFT Marketplace contest - Czar102's results

The world's most advanced NFT marketplace.

General Information

Platform: Code4rena

Start Date: 14/06/2022

Pot Size: $50,000 USDC

Total HM: 19

Participants: 99

Period: 5 days

Judge: HardlyDifficult

Total Solo HM: 4

Id: 136

League: ETH

Infinity NFT Marketplace

Findings Distribution

Researcher Performance

Rank: 77/99

Findings: 1

Award: $49.01

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryInfinity NFT Marketplace

Findings Information

🌟 Selected for report: joestakey

Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkowloon, 0xmint, 8olidity, BowTiedWardens, Chom, Cityscape, Czar102, ElKu, FSchmoede, Funen, GimelSec, GreyArt, IllIllI, KIntern, Kaiziron, Kenshin, Lambda, MadWookie, MiloTruck, PPrieditis, Picodes, Ruhum, Sm4rty, StErMi, TerrierLover, TomJ, Treasure-Seeker, VAD37, WatchPug, Wayne, _Adam, a12jmx, abhinavmir, antonttc, apostle0x01, asutorufos, berndartmueller, cccz, cloudjunky, codexploder, cryptphi, csanuragjain, defsec, delfin454000, fatherOfBlocks, georgypetrov, hake, hansfriese, horsefacts, hyh, k, kenta, nxrblsrpr, oyc_109, peritoflores, rajatbeladiya, reassor, rfa, robee, sach1r0, saian, samruna, shenwilly, simon135, sorrynotsorry, sseefried, throttle, unforgiven, wagmi, zzzitron

Awards

49.0062 USDC - $49.01

Labels

bug
disagree with severity
QA (Quality Assurance)
sponsor acknowledged

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L226-L238 https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L205-L224

Vulnerability details

Impact

Miscalculation of stake level can impact availability of some functions of the protocol for users, change their fee discount (funds loss) or change voting power (protocol's critical functionality).

Proof of Concept

Even if the user has suprassed the threshold for a stake level, they may not be on this stake level. For example, when the user has a half of the token more than the threshold, getUserStakePower() will return the value rounded down and getUserStakeLevel() will see the number at threshold, claiming that the stake level is lower than it really is.

Tools Used

Manual analysis

Either use getUserStakeLevel() with raw amount of tokens (token wei) or claim that the user achieved the threshold when they have at least the THRESHOLD_AMOUNT, causing the rounding not to change the result.

#0 - nneverlander

2022-06-22T12:50:04Z

Not sure if this is a high vuln. Closing as low.

#1 - HardlyDifficult

2022-07-10T15:41:10Z

Potentially an off by 1 error due to rounding. This is a fair improvement consideration. Lowering risk and converting this into a QA report for the warden.

#2 - HardlyDifficult

2022-07-12T05:56:38Z

Merging with https://github.com/code-423n4/2022-06-infinity-findings/issues/288 and https://github.com/code-423n4/2022-06-infinity-findings/issues/292 and https://github.com/code-423n4/2022-06-infinity-findings/issues/295

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter