Platform: Code4rena
Start Date: 17/06/2021
Pot Size: $60,000 USDC
Total HM: 12
Participants: 12
Period: 7 days
Judge: LSDan
Total Solo HM: 8
Id: 14
League: ETH
Rank: 7/12
Findings: 2
Award: $1,552.12
🌟 Selected for report: 2
🚀 Solo Findings: 0
229.3861 USDC - $229.39
JMukesh
return value from transfer()/ transferFrom() confirm the success of that function call, these return should be checked
Manual analysis
utilise the return value to check the success of the function
#0 - asselstine
2021-06-25T22:36:25Z
See https://github.com/code-423n4/2021-06-pooltogether-findings/issues/112
Severity is 1 (Low Risk) because if the transfer failed, the following deposit would fail. It could use a clearer error message, however
#1 - dmvt
2021-07-31T21:08:21Z
duplicate of #112
🌟 Selected for report: JMukesh
582.701 USDC - $582.70
JMukesh
Using memory array parameters (e.g. uint[] memory) as function parameters can be tricky in Solidity, because an attack is possible with a very large array which will overlap with other parts of the memory.
This an example to show the exploit:
// based on https://github.com/paradigm-operations/paradigm-ctf-2021/blob/master/swap/private/Exploit.sol
pragma solidity ^0.4.24; // only works with low solidity version
contract test{ struct Overlap { uint field0; } event log(uint);
function mint(uint[] memory amounts) public returns (uint) { // this can be in any solidity version Overlap memory v; v.field0 = 1234; emit log(amounts[0]); // would expect to be 0 however is 1234 return 1; }
function go() public { // this part requires the low solidity version uint x=0x800000000000000000000000000000000000000000000000000000000000000; // 2^251 bytes memory payload = abi.encodeWithSelector(this.mint.selector, 0x20, x); bool success=address(this).call(payload); } }
manual analysis
check the array length before using it
#0 - asselstine
2021-06-25T22:42:03Z
We're going to remove the timelock functions. The initializer I'm not concerned about.
🌟 Selected for report: JMukesh
582.701 USDC - $582.70
JMukesh
To track off-chain data it is necessary to use events
In ATokenYieldSource.sol, IdleYieldSource.sol, yearnV2yieldsource : events are emmitted in supplyTokenTo(), redeemToken() sponsor(), but not in BadgerYieldsource.sol and shushiyieldsource.sol
Manual analysis
use events
JMukesh
Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
https://swcregistry.io/docs/SWC-103
manual analysis
use fixed solidity version for ex- pragma solidity 0.6.12
#0 - asselstine
2021-06-25T22:43:16Z
#1 - dmvt
2021-08-23T15:59:57Z
duplicate of #109