Back to DelerRH's contests

Tapioca DAO - DelerRH's results

The first ever Omnichain money market, powered by LayerZero.

General Information

Platform: Code4rena

Start Date: 05/07/2023

Pot Size: $390,000 USDC

Total HM: 136

Participants: 132

Period: about 1 month

Judge: LSDan

Total Solo HM: 56

Id: 261

League: ETH

Tapioca DAO

Findings Distribution

Researcher Performance

Rank: 95/132

Findings: 1

Award: $76.34

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTapioca DAO

Findings Information

🌟 Selected for report: Limbooo

Also found by: DelerRH, LosPollosHermanos, c7e7eff, rvierdiiev, zzzitron

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
edited-by-warden
duplicate-1158

Awards

76.3356 USDC - $76.34

External Links

Link to GitHub issue

Lines of code

https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/Penrose.sol#L381-L388 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/Penrose.sol#L424-L450

Vulnerability details

Impact

Due to the implementation of registerSingularity, in the BoringFactory deploy function, masterContract maps to cloneAddress: https://github.com/boringcrypto/BoringSolidity/blob/78f4817d9c0d95fe9c45cd42e307ccd22cf5f4fc/contracts/BoringFactory.sol#L61

But in addSingularity that is used for registering an existing singularity market (without deployment), masterContract doesn't map to cloneAddress: https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/Penrose.sol#L381-L388

executeMarketFn function that used masterContractOf[mc[i] to get a master contract for validation, reverted with "Penrose: MC not registered": https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/Penrose.sol#L438-L443

Due to this revert, the owner(penrose) can't execute this functions in the singularity market:

Note: This finding is high, Due to the impact functions, fees are stuck and can not be transferred.

Proof of Concept

Add these lines at the end of Penrose.test.ts file in tapioca-bar-audit repo then run npx hardhat test --grep 'Should add Singularity & exucute market function correctly'


it('Should add Singularity & exucute market function correctly', async () => {
    const { bar } = await loadFixture(register);

    // Register new MC
    const mediumRiskSingularityMC = await (
        await ethers.getContractFactory('Singularity')
    ).deploy();
    await mediumRiskSingularityMC.deployed();
    const mcLengthBefore = await bar.singularityMasterContractLength();
    await (
        await bar.registerSingularityMasterContract(mediumRiskSingularityMC.address, 1)
    ).wait();
    const mcLength = await bar.singularityMasterContractLength();
    expect(mcLength.eq(mcLengthBefore.add(1))).to.be.true;

    // Register new singularity market
    // Random address (It's not important to deploy real sg market for this test)
    const sgMarket = "0x6716E4A2268d4feca147Ea3e26fe2665730BA81F";

    expect(await bar.addSingularity(mediumRiskSingularityMC.address, sgMarket)).to.not.be.reverted;
    expect(await bar.isMarketRegistered(sgMarket)).to.be.true;

    // expect(await bar.masterContractOf(sgMarket)).equals(mediumRiskSingularityMC.address);

    await expect(bar.executeMarketFn(
        [sgMarket],
        [ethers.utils.toUtf8Bytes('')],
        true,
    )).to.not.be.rejectedWith("Penrose: MC not registered");
});

Tools Used

Hardhat Manual review

Store clone and master contract relation

function addSingularity(
        address mc,
        address _contract
    ) external onlyOwner registeredSingularityMasterContract(mc) {
        isMarketRegistered[_contract] = true;
        clonesOf[mc].push(_contract);
+       masterContractOf[_contract] = mc;
        emit RegisterSingularity(_contract, mc);
    }

Assessed type

DoS

#0 - c4-pre-sort

2023-08-05T06:27:32Z

minhquanym marked the issue as duplicate of #79

#1 - c4-judge

2023-09-26T14:33:46Z

dmvt marked the issue as satisfactory

#2 - c4-judge

2023-09-26T14:33:57Z

dmvt changed the severity to 2 (Med Risk)

Findings Information

🌟 Selected for report: Limbooo

Also found by: DelerRH, LosPollosHermanos, c7e7eff, rvierdiiev, zzzitron

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
duplicate-1158

Awards

76.3356 USDC - $76.34

External Links

Link to GitHub issue

Lines of code

https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/Penrose.sol#L424-L450 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/Penrose.sol#L414-L421

Vulnerability details

Impact

Due to the implementation of registerBigBang, in the BoringFactory deploy function, masterContract maps to cloneAddress: https://github.com/boringcrypto/BoringSolidity/blob/78f4817d9c0d95fe9c45cd42e307ccd22cf5f4fc/contracts/BoringFactory.sol#L61

But in addBigBang that is used for registering an existing bigbang market (without deployment), masterContract doesn't map to cloneAddress: https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/Penrose.sol#L395-L409

executeMarketFn function that used masterContractOf[mc[i] to get a master contract for validation, reverted with "Penrose: MC not registered": https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/Penrose.sol#L438-L443

Due to this revert, the owner(penrose) can't execute this functions in the bigbang market:

Note: This finding is high, Due to the impact functions, fees are stuck and can not be transferred.

Proof of Concept

Add these lines at the end of Penrose.test.ts file in tapioca-bar-audit repo then run npx hardhat test --grep 'Can add BigBang & exucute market function'

it('Can add BigBang & exucute market function', async () => {
    const { bar } = await loadFixture(register);

    // Register new MC
    const mediumBigBangMC = await (
        await ethers.getContractFactory('BigBang')
    ).deploy();
    await mediumBigBangMC.deployed();
    const mcLengthBefore = await bar.bigBangMasterContractLength();
    await (
        await bar.registerBigBangMasterContract(mediumBigBangMC.address, 1)
    ).wait();
    const mcLength = await bar.bigBangMasterContractLength();
    expect(mcLength.eq(mcLengthBefore.add(1))).to.be.true;

    // Register new Bigbang market
    // Random address (It's not important to deploy real Bigbang market for this test)
    const BigBangMarket = "0x6716E4A2268d4feca147Ea3e26fe2665730BA81F";

    expect(await bar.addBigBang(mediumBigBangMC.address, BigBangMarket)).to.not.be.reverted;
    expect(await bar.isMarketRegistered(BigBangMarket)).to.be.true;

    // expect(await bar.masterContractOf(BigBangMarket)).equals(mediumBigBangMC.address);

    await expect(bar.executeMarketFn(
        [BigBangMarket],
        [ethers.utils.toUtf8Bytes('')],
        true,
    )).to.not.be.rejectedWith("Penrose: MC not registered");
});

Tools Used

Hardhat Manual review

Store clone and master contract relation

    function addBigBang(
        address mc,
        address _contract
    ) external onlyOwner registeredBigBangMasterContract(mc) {
        isMarketRegistered[_contract] = true;
        clonesOf[mc].push(_contract);
+       masterContractOf[_contract] = mc;
        emit RegisterBigBang(_contract, mc);
    }

Assessed type

DoS

#0 - c4-pre-sort

2023-08-05T06:27:22Z

minhquanym marked the issue as duplicate of #79

#1 - c4-judge

2023-09-26T14:33:47Z

dmvt marked the issue as satisfactory

#2 - c4-judge

2023-09-26T14:33:59Z

dmvt changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter