Back to Jujic's contests

JPEG'd contest - Jujic's results

Bridging the gap between DeFi and NFTs.

General Information

Platform: Code4rena

Start Date: 07/04/2022

Pot Size: $100,000 USDC

Total HM: 20

Participants: 62

Period: 7 days

Judge: LSDan

Total Solo HM: 11

Id: 107

League: ETH

JPEG'd

Findings Distribution

Researcher Performance

Rank: 13/62

Findings: 3

Award: $1,241.61

🌟 Selected for report: 1

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryJPEG'd

Findings Information

🌟 Selected for report: Jujic

Also found by: hickuphh3

Labels

bug
2 (Med Risk)
disagree with severity
resolved
sponsor confirmed

Awards

1064.3207 USDC - $1,064.32

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/FungibleAssetVaultForDAO.sol#L105

Vulnerability details

Impact

Price can be stale and can lead to wrong answer return value.

Proof of Concept

Oracle data feed is insufficiently validated. There is no check for stale price and round completeness. Price can be stale and can lead to wrong answer return value.

function _collateralPriceUsd() internal view returns (uint256) {
        int256 answer = oracle.latestAnswer();
        uint8 decimals = oracle.decimals();

        require(answer > 0, "invalid_oracle_answer");

        ...

https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/FungibleAssetVaultForDAO.sol#L105

Tools Used

Manual review

Validate data feed

function _collateralPriceUsd() internal view returns (uint256) {

(uint80 roundID, int256 answer, , uint256 timestamp, uint80 answeredInRound) = oracle.latestRoundData();
   
    require(answer > 0, "invalid_oracle_answer");
    require(answeredInRound >= roundID, "ChainLink: Stale price");
    require(timestamp > 0, "ChainLink: Round not complete");

         ...

#0 - 0xJPEG

2022-04-18T19:24:06Z

Can add validation for round not being complete yet and potentially for stale pricing. This should be med risk, as shown in past contests [1] [2] [3]

#1 - spaghettieth

2022-04-19T17:23:56Z

Fixed in https://github.com/jpegd/core/pull/9

#2 - dmvt

2022-04-26T14:35:24Z

Agree with sponsor on the medium risk rating. An oracle with a bad value is by definition an external requirement.

Findings Information

🌟 Selected for report: cccz

Also found by: 0xDjango, 0xkatana, Cr4ckM3, JMukesh, Jujic, Ruhum, WatchPug, berndartmueller, defsec, horsefacts, hyh, joshie, pedroais, peritoflores, rayn, reassor

Awards

25.7805 USDC - $25.78

Labels

bug
duplicate
2 (Med Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/FungibleAssetVaultForDAO.sol#L105

Vulnerability details

Impact

The Chainlink API (latestAnswer) used in the FungibleAssetVaultForDAO contract is deprecated. This function does not error if no answer has been reached but returns 0.

Proof of Concept

https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/FungibleAssetVaultForDAO.sol#L105

int256 answer = oracle.latestAnswer();

Tools Used

https://web.archive.org/web/20210304160150/https://docs.chain.link/docs/deprecated-aggregatorinterface-api-reference

Use the latestRoundData function to get the price instead.

#0 - spaghettieth

2022-04-12T11:29:01Z

Duplicate of #4

Findings Information

🌟 Selected for report: Dravee

Also found by: 0x1f8b, 0xDjango, 0xkatana, AuditsAreUS, Cityscape, Foundation, Funen, Hawkeye, IllIllI, JC, JMukesh, Jujic, Kthere, PPrieditis, Picodes, Ruhum, TerrierLover, TrungOre, WatchPug, berndartmueller, catchup, cccz, cmichel, delfin454000, dy, ellahi, hickuphh3, horsefacts, hubble, hyh, ilan, jayjonah8, kebabsec, kenta, minhquanym, pauliax, rayn, reassor, rfa, robee, samruna

Awards

151.5077 USDC - $151.51

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/FungibleAssetVaultForDAO.sol#L201

Vulnerability details

Impact

The use of transfer in withdraw() to send ether is now considered bad practice as gas costs can change which would break the code

Proof of Concept

https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/FungibleAssetVaultForDAO.sol#L201

if (collateralAsset == ETH) payable(msg.sender).transfer(amount);

Tools Used

https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/

https://chainsecurity.com/istanbul-hardfork-eips-increasing-gas-costs-and-more/

Recommend using call instead, and make sure to check for reentrancy.

#0 - spaghettieth

2022-04-12T11:34:41Z

Duplicate of #39

#1 - dmvt

2022-04-26T14:15:21Z

See comment on #39. This is a QA issue.

#2 - JeeberC4

2022-05-02T19:05:01Z

Generating QA Report for warden as judge downgraded issue. Preserving original title: Transfer is bad practice

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter