Back to Haipls's contests

Ethos Reserve contest - Haipls's results

A CDP-backed stablecoin platform designed to generate yield on underlying assets to establish a sustainable DeFi stable interest rate.

General Information

Platform: Code4rena

Start Date: 16/02/2023

Pot Size: $144,750 USDC

Total HM: 17

Participants: 154

Period: 19 days

Judge: Trust

Total Solo HM: 5

Id: 216

League: ETH

Ethos Reserve

Findings Distribution

Researcher Performance

Rank: 18/154

Findings: 1

Award: $2,028.03

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryEthos Reserve

Findings Information

🌟 Selected for report: matrix_0wl

Also found by: Haipls

Labels

bug
2 (Med Risk)
disagree with severity
satisfactory
sponsor confirmed
duplicate-638

Awards

2028.0263 USDC - $2,028.03

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Core/contracts/LUSDToken.sol#L254

Vulnerability details

Impact

  • Inability to integrate LUSDT into contracts of other services where the DOMAIN_SEPARATOR is used or strict adherence to the EIP2612 standard is required.

  • Various network analyzers that automatically determine the type of contracts will not be able to recognize that this is a token with a Permit function.

  • Websites/exchanges/tools will not recognize that this is a token with a Permit function, and will therefore not provide users with the ability to pay less gas or use certain functionality, as they will not have access to the DOMAIN_SEPARATOR and automatically obtain the data.

Proof of Concept

The contract LUSDT.sol implement the EIP-2612 standard, but the implementation is incorrect. According to the standard described in https://eips.ethereum.org/EIPS/eip-2612 the contract should contain a function function DOMAIN_SEPARATOR() external view returns (bytes32) but in reality, the contract contains function domainSeparator() public view override returns (bytes32), which is a different function name. Therefore, we cannot say that it fully implements this standard since the mandatory DOMAIN_SEPARATOR method is missing `

Tools Used

  • Manual review
  • Correcting according to the standard

#0 - c4-judge

2023-03-08T13:27:06Z

trust1995 marked the issue as satisfactory

#1 - c4-judge

2023-03-08T13:27:12Z

trust1995 marked the issue as primary issue

#2 - tess3rac7

2023-03-14T00:23:33Z

Agree with nonconformity however recommend low severity as per: https://docs.code4rena.com/awarding/judging-criteria/severity-categorization "function incorrect to spec"

#3 - c4-sponsor

2023-03-14T00:23:39Z

tess3rac7 marked the issue as disagree with severity

#4 - trust1995

2023-03-20T09:50:41Z

"function incorrect to spec" relates to project-defined specs, rather than breaking spec of EIPs, AFAIK. From experience with many past contests, this is in line with Medium severity due to risks of composability with additional protocols.

#5 - c4-sponsor

2023-03-20T15:26:32Z

tess3rac7 marked the issue as sponsor confirmed

#6 - c4-judge

2023-03-20T15:45:49Z

trust1995 marked issue #638 as primary and marked this issue as a duplicate of 638

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter