Back to GeekyLumberjack's contests

LI.FI contest - GeekyLumberjack's results

Bridge & DEX Aggregation.

General Information

Platform: Code4rena

Start Date: 24/03/2022

Pot Size: $75,000 USDC

Total HM: 15

Participants: 59

Period: 7 days

Judge: gzeon

Id: 103

League: ETH

LI.FI

Findings Distribution

Researcher Performance

Rank: 2/59

Findings: 2

Award: $6,849.87

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryLI.FI

Findings Information

🌟 Selected for report: 0xDjango

Also found by: GeekyLumberjack, pmerkleplant

Labels

bug
duplicate
3 (High Risk)

Awards

4566.5778 USDC - $4,566.58

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/GenericSwapFacet.sol#L28-L30

Vulnerability details

Failed transfer with low level call won't revert

Impact

A missing require may cause user to lose funds if a corner case issue filed separately named Failed transfer with low level call won't revert. This may result in user funds lost because funds were transferred into this contract in preparation for the swap. The swap fails but doesn't revert. In GenericSwapFacet.sol there is no require to check that postSwapBalance is greater than 0. However, there is in the other facets.

Proof of Concept

  1. Alice uses Generic swap with 100 DAI
  2. Alice's 100 DAI are sent to the Swapper.sol contract
  3. The call on swap _swapData.callTo.call{ value: msg.value }(_swapData.callData); fails but returns success due to nonexisting contract
  4. postSwapBalance = 0 Other facets would revert here
  5. Alice receives nothing in return

Tools Used

Manual review

add require(postSwapBalance > 0, "ERR_INVALID_AMOUNT");

#0 - H3xept

2022-04-06T15:14:16Z

Fixed in lifinance/lifi-contracts@91870a578e8dd315b057acc5eb3370ffa0186208

#1 - H3xept

2022-04-11T11:46:39Z

Duplicate of #76

Findings Information

🌟 Selected for report: GeekyLumberjack

Also found by: CertoraInc

Labels

bug
2 (Med Risk)
resolved

Awards

2283.2889 USDC - $2,283.29

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Libraries/LibSwap.sol#L42-L46

Vulnerability details

Impact

swap is used throughout the code via _executeSwaps in Swapper.sol. According to Solidity Docs the call may return true even if it was a failure. This may result in user funds lost because funds were transferred into this contract in preparation for the swap. The swap fails but doesn't revert. There is a way this can happen through GenericSwapFacet.sol due to a missing require that is present in the other facets which is a separate issue but gives this issue more relevance.

Proof of Concept

  1. Alice uses Generic swap with 100 DAI
  2. Alice's 100 DAI are sent to the Swapper.sol contract
  3. The call on swap _swapData.callTo.call{ value: msg.value }(_swapData.callData); fails but returns success due to nonexisting contract
  4. postSwapBalance = 0
  5. Alice receives nothing in return

Tools Used

Manual review

Check for contract existence

A similar issue was awarded a medium here

#0 - gzeoneth

2022-04-16T17:43:52Z

Sponsor confirmed with fix.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter