Back to Fitraldys's contests

Timeswap contest - Fitraldys's results

Like Uniswap, but for lending & borrowing.

General Information

Platform: Code4rena

Start Date: 04/01/2022

Pot Size: $75,000 USDC

Total HM: 17

Participants: 33

Period: 7 days

Judge: 0xean

Total Solo HM: 14

Id: 74

League: ETH

Findings Distribution

Researcher Performance

Rank: 13/33

Findings: 1

Award: $766.73

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Timeswap

Findings Information

🌟 Selected for report: jayjonah8

Also found by: Fitraldys

Labels

bug

duplicate

2 (Med Risk)

Awards

766.7304 USDC - $766.73

External Links

Link to GitHub issue

Handle

Fitraldys

Vulnerability details

Impact

in https://github.com/code-423n4/2022-01-timeswap/blob/main/Timeswap/Timeswap-V1-Convenience/contracts/CollateralizedDebt.sol#L76 there is no reentrant check, because when using _safeMint(), the function will make a call to the to address, through https://github.com/code-423n4/2022-01-timeswap/blob/main/Timeswap/Timeswap-V1-Convenience/contracts/base/ERC721.sol#L97 / _checkOnERC721Received, that will call to the user to address, and the to address is controllable by the to address.

Proof of Concept

https://github.com/code-423n4/2022-01-timeswap/blob/main/Timeswap/Timeswap-V1-Convenience/contracts/CollateralizedDebt.sol#L76

#0 - amateur-dev
2022-01-15T04:01:19Z

Similar issue reported over here #43 ; hence closing this

#1 - 0xean
2022-01-25T23:53:12Z

bumping sev to match dupe

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Contests

Get in touch

Contact Twitter