Platform: Code4rena
Start Date: 07/09/2022
Pot Size: $20,000 CANTO
Total HM: 7
Participants: 65
Period: 1 day
Judge: 0xean
Total Solo HM: 3
Id: 159
League: ETH
Rank: 8/65
Findings: 3
Award: $357.08
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: hickuphh3
Also found by: 0xNazgul, 0xSky, CertoraInc, Deivitto, Jeiwan, SinceJuly, hansfriese, linmiaomiao, rbserver
https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-periphery.sol#L582
Token 0 TVL can be lower than it in fact is due to loss of precision when calculating it. This will make the LP token price lower than it actually is.
Solidity supports only integer division: when dividing two numbers the result is truncated, e.g.:
10.9999999999 ether / 1 ether = 10 ether
When calculating token0TVL:
uint token0TVL = assetReserves[i] * (prices[i] / decimals);
A price gets divided by decimals before being multiplied by an asset reserves. The division will result in a truncated
number, which will make the result of the multiplication smaller.
Consider ordering multiplication before division:
uint token0TVL = (assetReserves[i] * prices[i]) / decimals;
#0 - nivasan1
2022-09-10T17:13:06Z
duplicate #106
#1 - 0xean
2022-10-13T13:39:00Z
dupe of #41
🌟 Selected for report: Chom
Also found by: 0xSmartContract, Jeiwan, SinceJuly, V_B, cccz, linmiaomiao
https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-periphery.sol#L491 https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-periphery.sol#L498 https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-periphery.sol#L501 https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-periphery.sol#L505
Malicious actors can deploy fake tokens with one of the hard coded token symbols. The getUnderlyingPrice function will return the price of the original token when a fake token is passed as the parameter.
Since symbols don't unique identify tokens (a token can have any symbol, including one belonging to an existing token),
there's possibility that a fake token with one of the symbols checked in the getUnderlyingPrice
function is deployed. The function getUnderlyingPrice will then return a price of the real token when a fake token is
provided.
Someone deploys a fake token with symbol "cCANTO". A protocol that's integrated with Canto (or Canto itself) calls
getUnderlyingPrice to get the price of the fake token. The price of the real cCANTO is returned instead, which allows
a malicious actor to use the fake token as a collateral or in another market operation.
Consider using token addresses to identify tokens. As an example, this is how a similar function is implemented in the UniswapV2 Anchored View used by Compound:
#0 - nivasan1
2022-09-10T17:20:35Z
duplicate #24
🌟 Selected for report: lukris02
Also found by: 0x040, 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xSky, Bnke0x0, Bronicle, CertoraInc, Chom, CodingNameKiki, Deivitto, Diraco, Dravee, EthLedger, IgnacioB, JC, JansenC, Jeiwan, R2, RaymondFam, ReyAdmirado, Rolezn, SinceJuly, TomJ, Tomo, Yiko, a12jmx, ajtra, ak1, codexploder, cryptphi, csanuragjain, erictee, fatherOfBlocks, gogo, hake, hansfriese, hickuphh3, ignacio, ontofractal, oyc_109, p_crypt0, pashov, peritoflores, rajatbeladiya, rbserver, rokinot, rvierdiiev, tnevler
242.8216 CANTO - $39.22
Due to the early return in the next line,
the assignment to underlying is not used.