Back to Englave's contests

Tigris Trade contest - Englave's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $90,500 USDC

Total HM: 35

Participants: 84

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 12

Id: 192

League: ETH

Tigris Trade

Findings Distribution

Researcher Performance

Rank: 67/84

Findings: 2

Award: $14.91

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTigris Trade

Findings Information

🌟 Selected for report: 0xA5DF

Also found by: 0xA5DF, 0xNazgul, 0xSmartContract, 0xbepresent, 0xdeadbeef0x, 8olidity, Englave, Faith, HE1M, JohnnyTime, Madalad, Mukund, Ruhum, SmartSek, __141345__, aviggiano, carlitox477, cccz, chaduke, francoHacker, gz627, gzeon, hansfriese, hihen, imare, jadezti, kwhuo68, ladboy233, orion, peanuts, philogy, rbserver, wait, yjrwkk

Awards

1.1472 USDC - $1.15

Labels

bug
2 (Med Risk)
satisfactory
sponsor acknowledged
duplicate-377

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Lock.sol#L113 https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/BondNFT.sol#L351

Vulnerability details

Impact

BondNFT contract allows adding an unlimited amount of assets using addAsset function. claimGovFees is a public function, which is a part of lock, claimDebt, claim and release functions, so in case of Denial of Service vulnerability, all this functionality would be blocked. It's risky to rely on the unlimited length during iterations, as it could cause an "Out of Gas" exception.

Proof of Concept

To reproduce the issue you need to add a lot of assets, which sounds not real for production, but is still a valid issue, as it's possible to do.

   it("DoS assets", async function () {
      for (let step = 0; step < 1000; step++) {
        let contractToken = await ethers.getContractFactory("StableToken");
        let token = await contractToken.deploy("te" + step, "test" + step);
        await token.connect(owner).setMinter(owner.address, true);
        await token.connect(user).approve(Lock.address, ethers.utils.parseEther("3000"));
        await token.connect(owner).approve(Lock.address, ethers.utils.parseEther("100000000000"));
        await token.connect(owner).approve(Bond.address, ethers.utils.parseEther("100000000000"));
        await token.connect(owner).approve(GovNFT.address, ethers.utils.parseEther("100000000000"));
        await bond.connect(owner).addAsset(token.address);
      }
      
      await lock.connect(owner).claimGovFees(); //Will iterate over all 1000 assets and ran out of Gas.
    });
Hardhat result

Tools Used

Visual inspection; Test PoC.

The simplest solution is to define the upper limit for assets.

#0 - GalloDaSballo

2022-12-21T14:59:43Z

Best POC would also calculate minimum amount of assets for revert but this is pretty good

#1 - c4-judge

2022-12-21T14:59:47Z

GalloDaSballo marked the issue as primary issue

#2 - TriHaz

2022-12-23T03:06:56Z

addAsset can only be called by owner, it is a valid issue but it will not put any risk to the protocol as we will only add a reasonable number of assets.

#3 - c4-sponsor

2022-12-23T03:07:01Z

TriHaz marked the issue as sponsor acknowledged

#4 - c4-judge

2023-01-15T14:00:54Z

GalloDaSballo marked the issue as duplicate of #377

#5 - c4-judge

2023-01-22T17:33:36Z

GalloDaSballo marked the issue as satisfactory

Findings Information

🌟 Selected for report: yjrwkk

Also found by: 0x4non, 0xDecorativePineapple, 0xdeadbeef0x, Avci, Critical, Deivitto, Dinesh11G, Englave, Tointer, ak1, chaduke, izhelyazkov, pwnforce, rbserver, rvierdiiev, unforgiven

Awards

13.7578 USDC - $13.76

Labels

2 (Med Risk)
satisfactory
duplicate-533

External Links

Link to GitHub issue

Judge has assessed an item in Issue #32 as M risk. The relevant finding follows:

  1. StableVault deposits are limited to 18 decimals During deposit and withdraw to/from StableVault contract, it mints/burns the same amount of stable tokens with respect to decimals. The current implementation supports only tokens with <= 18 decimals. It’s not possible to list a token with a bigger amount of decimals because it would cause overflow exceptions during stable token decimals calculation: 18-IERC20Mintable(_token).decimals(). Path: ./contracts/StableVault.sol : deposit()

#0 - c4-judge

2022-12-22T15:09:29Z

GalloDaSballo marked the issue as duplicate of #533

#1 - c4-judge

2023-01-22T17:44:58Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter