Back to Jujic's contests

Badger Citadel contest - Jujic's results

Bringing BTC to DeFi

General Information

Platform: Code4rena

Start Date: 14/04/2022

Pot Size: $75,000 USDC

Total HM: 8

Participants: 72

Period: 7 days

Judge: Jack the Pug

Total Solo HM: 2

Id: 110

League: ETH

BadgerDAO

Findings Distribution

Researcher Performance

Rank: 61/72

Findings: 1

Award: $91.37

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBadgerDAO

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xkatana, AmitN, CertoraInc, Dravee, Funen, Hawkeye, Jujic, MaratCerby, Picodes, Ruhum, SolidityScan, TerrierLover, TomFrenchBlockchain, TrungOre, VAD37, Yiko, berndartmueller, cmichel, csanuragjain, danb, defsec, delfin454000, dipp, ellahi, fatherOfBlocks, georgypetrov, gs8nrv, gzeon, horsefacts, hubble, hyh, ilan, jah, joestakey, kebabsec, kenta, kyliek, m9800, minhquanym, oyc_109, p_crypt0, peritoflores, rayn, reassor, remora, rfa, robee, scaraven, securerodd, shenwilly, sorrynotsorry, tchkvsky, teryanarmen, z3s

Awards

91.3652 USDC - $91.37

Labels

bug
disagree with severity
QA (Quality Assurance)

External Links

Link to GitHub issue

Lines of code

https://github.com/ampleforth/market-oracle/blob/master/contracts/MedianOracle.sol

Vulnerability details

Impact

The Owner can add new addresses of providers authorized to push reports in MedianOracle contract. By mistake, the Owner can add more providers in address[] providers than necessary. In this case, the main function getData() could fail if the array get too big and the transaction would consume more gas than the block limit. But if the owner want to remove Provider from the array, he can not do this because the function removeProvider use loop with the same array. This will then result in a denial of service for the desired functionality (get citadel price In assets) and break core functionality.

Proof of Concept

add new providers https://github.com/ampleforth/market-oracle/blob/5e7fd1506784f074748ab6bd5df740ca2227b14f/contracts/MedianOracle.sol#L212

Remove provider from array via loop https://github.com/ampleforth/market-oracle/blob/5e7fd1506784f074748ab6bd5df740ca2227b14f/contracts/MedianOracle.sol#L226

Computes median of provider reports https://github.com/ampleforth/market-oracle/blob/5e7fd1506784f074748ab6bd5df740ca2227b14f/contracts/MedianOracle.sol#L164

Tools Used

VS Code

Add max providers. length check in the addProvider() function.

#0 - GalloDaSballo

2022-04-22T23:02:12Z

I feel like you'd need over 1k providers before even remotely considered running out of gas For that reason I won't dispute, but disagree with the severity

#1 - jack-the-pug

2022-06-05T05:04:10Z

Downgrading to QA.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter