Basin - JGcarv's results

A composable EVM-native decentralized exchange protocol.

General Information

Platform: Code4rena

Start Date: 03/07/2023

Pot Size: $40,000 USDC

Total HM: 14

Participants: 74

Period: 7 days

Judge: alcueca

Total Solo HM: 9

Id: 259

League: ETH

Basin

Findings Distribution

Researcher Performance

Rank: 40/74

Findings: 1

Award: $17.52

QA:

grade-a

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Basin

Findings Information

🌟 Selected for report: 0xprinc

Also found by: 0x11singh99, 0xAnah, 0xWaitress, 0xkazim, 2997ms, 33audits, 404Notfound, 8olidity, CRIMSON-RAT-REACH, CyberPunks, DanielWang888, Deekshith99, Eeyore, Eurovickk, Inspecktor, JGcarv, John, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Qeew, QiuhaoLi, Rolezn, TheSavageTeddy, Topmark, Trust, Udsen, a3yip6, alexzoid, bigtone, codegpt, erebus, fatherOfBlocks, ginlee, glcanvas, hunter_w3b, josephdara, kaveyjoe, kutugu, mahdirostami, max10afternoon, oakcobalt, peanuts, pfapostol, ptsanev, qpzm, radev_sw, ravikiranweb3, sces60107, seth_lawson, te_aut, twcctop, zhaojie, ziyou-

Awards

17.5208 USDC - $17.52

Labels

bug

downgraded by judge

grade-a

low quality report

primary issue

QA (Quality Assurance)

Q-45

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-basin/blob/main/src/functions/ConstantProduct2.sol#L49 https://github.com/code-423n4/2023-07-basin/blob/main/src/functions/ConstantProduct2.sol#L58 https://github.com/code-423n4/2023-07-basin/blob/main/src/functions/ConstantProduct2.sol#L79 https://github.com/code-423n4/2023-07-basin/blob/main/src/functions/ConstantProduct2.sol#L92

Vulnerability details

Impact

Although the contract ConstantProduct2 is designed to work with Wells of 2 tokens, it doesn't employ any enforcement on that, which allows it to be used with multi tokens Wells.

Proof of Concept

In that scenario, regardless of the tokens being traded, the contract will always output the calculation regarding the first 2 reserves, which can possibly lead to incorrect values and broken invariants.

Tools Used

Manual review

Recommended Mitigation Steps

Add a requirement statement that reserves.length == 2

Assessed type

Invalid Validation

#0 - c4-pre-sort
2023-07-12T02:47:15Z

141345 marked the issue as low quality report

#1 - c4-pre-sort
2023-07-13T07:43:42Z

141345 marked the issue as duplicate of #163

#2 - c4-judge
2023-08-04T05:47:09Z

alcueca changed the severity to QA (Quality Assurance)

#3 - c4-judge
2023-08-05T21:28:16Z

alcueca marked the issue as selected for report

#4 - c4-judge
2023-08-05T21:28:29Z

alcueca marked the issue as grade-a

#5 - c4-judge
2023-08-19T18:42:44Z

alcueca marked the issue as not selected for report

Basin - JGcarv's results

A composable EVM-native decentralized exchange protocol.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-45] QA Report - $17.52

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-07-12T02:47:15Z

#1 - c4-pre-sort2023-07-13T07:43:42Z

#2 - c4-judge2023-08-04T05:47:09Z

#3 - c4-judge2023-08-05T21:28:16Z

#4 - c4-judge2023-08-05T21:28:29Z

#5 - c4-judge2023-08-19T18:42:44Z

#0 - c4-pre-sort
2023-07-12T02:47:15Z

#1 - c4-pre-sort
2023-07-13T07:43:42Z

#2 - c4-judge
2023-08-04T05:47:09Z

#3 - c4-judge
2023-08-05T21:28:16Z

#4 - c4-judge
2023-08-05T21:28:29Z

#5 - c4-judge
2023-08-19T18:42:44Z