Back to Jerry0x's contests

Ajna Protocol - Jerry0x's results

A peer to peer, oracleless, permissionless lending protocol with no governance, accepting both fungible and non fungible tokens as collateral.

General Information

Platform: Code4rena

Start Date: 03/05/2023

Pot Size: $60,500 USDC

Total HM: 25

Participants: 114

Period: 8 days

Judge: Picodes

Total Solo HM: 6

Id: 234

League: ETH

Ajna Protocol

Findings Distribution

Researcher Performance

Rank: 74/114

Findings: 2

Award: $51.82

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAjna Protocol

Findings Information

🌟 Selected for report: aviggiano

Also found by: 0xSmartContract, 0xTheC0der, 0xcm, ABAIKUNANBAEV, Audinarey, Audit_Avengers, BGSecurity, Bauchibred, Dug, Evo, Haipls, Jerry0x, TS, bytes032, devscrooge, kenta, ladboy233, mrvincere, patitonar, sakshamguruji, tsvetanovv

Awards

15.5756 USDC - $15.58

Labels

bug
3 (High Risk)
satisfactory
duplicate-251

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/RewardsManager.sol#L811-L821

Vulnerability details

Impact

Ordinary traders are not aware that the contract does not have sufficient ajna tokens when receiving rewards, resulting in partial loss of ajna. Smart traders will check the contract token balance before claiming rewards, which leads to unfairness.

Proof of Concept

if (rewardsEarned_ > ajnaBalance) rewardsEarned_ = ajnaBalance;

This logic will cause traders to lose part of their rewards.

Tools Used

vsCode Foundry

Add a "debt" field to store debt information

mapping(address => uint256) internal debt;

Record every potential debt incurred.

function _transferAjnaRewards(uint256 rewardsEarned_) internal {
        // check that rewards earned isn't greater than remaining balance
        // if remaining balance is greater, set to remaining balance
        uint256 ajnaBalance = IERC20(ajnaToken).balanceOf(address(this));
        //@audit
        rewardsEarned_ = rewardsEarned_ + debt[msg.sender];
        if (rewardsEarned_ > ajnaBalance){
            debt[msg.sender] = rewardsEarned_ - ajnaBalance;
            rewardsEarned_ = ajnaBalance;
        } else {
            debt[msg.sender] = 0;
        }

        if (rewardsEarned_ != 0) {
            // transfer rewards to sender
            IERC20(ajnaToken).safeTransfer(msg.sender, rewardsEarned_);
        }
    }

Assessed type

Other

#0 - c4-judge

2023-05-12T10:33:42Z

Picodes marked the issue as duplicate of #361

#1 - c4-judge

2023-05-29T20:55:36Z

Picodes marked the issue as satisfactory

Findings Information

🌟 Selected for report: rbserver

Also found by: 0xnev, ABAIKUNANBAEV, Audit_Avengers, Aymen0909, BGSecurity, BRONZEDISC, Bason, DadeKuma, GG_Security, Jerry0x, Jorgect, MohammedRizwan, REACH, Sathish9098, Shogoki, T1MOH, UniversalCrypto, aviggiano, ayden, berlin-101, bytes032, codeslide, descharre, fatherOfBlocks, hals, kaveyjoe, kodyvim, lfzkoala, lukris02, nadin, naman1778, patitonar, pontifex, sakshamguruji, squeaky_cactus, teawaterwire, wonjun, yjrwkk

Awards

36.2377 USDC - $36.24

Labels

bug
grade-b
QA (Quality Assurance)
Q-08

External Links

Link to GitHub issue

Impact

Calldata length must be greater than 68

Proof of Concept

mload(add(tokenDataWithSig, 68))

require(tokenDataWithSig.length >68, "invalid calldata");
assembly {
  tokensRequested := mload(add(tokenDataWithSig, 68))
}

#0 - c4-judge

2023-05-18T18:32:05Z

Picodes marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter