Back to KIntern_NA's contests

Frax Ether Liquid Staking contest - KIntern_NA's results

A liquid ETH staking derivative designed to uniquely leverage the Frax Finance ecosystem.

General Information

Platform: Code4rena

Start Date: 22/09/2022

Pot Size: $30,000 USDC

Total HM: 12

Participants: 133

Period: 3 days

Judge: 0xean

Total Solo HM: 2

Id: 165

League: ETH

Frax Finance

Findings Distribution

Researcher Performance

Rank: 40/133

Findings: 2

Award: $67.17

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFrax Finance

Findings Information

🌟 Selected for report: Lambda

Also found by: 0x52, Bahurum, Bnke0x0, KIntern_NA, Respx, Soosh, TomJ, Trust, V_B, lukris02, rbserver, rotcivegaf, yixxas

Labels

bug
duplicate
2 (Med Risk)
sponsor confirmed
old-submission-method
depositEther OOG

Awards

39.1574 USDC - $39.16

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-frax/blob/55ea6b1ef3857a277e2f47d42029bc0f3d6f9173/src/frxETHMinter.sol#L131-L136

Vulnerability details

Impact

In case numDeposits > validators.length() function getNextValidator() will revert when i reach to validators.length() + 1

// url = https://github.com/code-423n4/2022-09-frax/blob/55ea6b1ef3857a277e2f47d42029bc0f3d6f9173/src/frxETHMinter.sol#L131-L136
(
    bytes memory pubKey,
    bytes memory withdrawalCredential,
    bytes memory signature,
    bytes32 depositDataRoot
) = getNextValidator(); // Will revert if there are not enough free validators

This case can happen cause maybe there are a lot of people want to stake their eth into this contract but there aren't enough depositContract for frxETHMinter to deposit user's eth to. ==> This will make user lose yield.

Tools Used

Manual review

Break the loop when validators is empty.

#0 - FortisFortuna

2022-09-25T22:45:15Z

We plan to keep an eye on the number free validators and have a decent sized buffer of them.

#1 - FortisFortuna

2022-09-26T16:30:56Z

Adding a maxLoops parameter or similar can help mitigate this for sure.

#2 - FortisFortuna

2022-09-26T17:22:25Z

duplicate of https://github.com/code-423n4/2022-09-frax-findings/issues/17

#3 - 0xean

2022-10-11T21:36:48Z

see #224 for the other half of this issue / same root cause...

Findings Information

🌟 Selected for report: rotcivegaf

Also found by: 0x040, 0x1f8b, 0x4non, 0xNazgul, 0xSmartContract, 0xf15ers, 8olidity, Aymen0909, B2, Bahurum, Bnke0x0, Ch_301, CodingNameKiki, Deivitto, Diana, Funen, IllIllI, JC, JLevick, KIntern_NA, Lambda, OptimismSec, PaludoX0, RockingMiles, Rolezn, Sm4rty, Soosh, Tagir2003, Tointer, TomJ, Triangle, Trust, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, asutorufos, ayeslick, aysha, bbuddha, bharg4v, bobirichman, brgltd, bytera, c3phas, cryptostellar5, cryptphi, csanuragjain, datapunk, delfin454000, durianSausage, exd0tpy, gogo, got_targ, jag, joestakey, karanctf, ladboy233, leosathya, lukris02, mics, millersplanet, natzuu, neko_nyaa, obront, oyc_109, parashar, peritoflores, rbserver, ret2basic, rokinot, ronnyx2017, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, tnevler, yasir, yongskiws

Awards

28.0141 USDC - $28.01

Labels

bug
QA (Quality Assurance)
old-submission-method

External Links

Link to GitHub issue

[2022-09-frax] QA report

tags: c4, 2022-09-frax, QA

typo comments

should check receiver != address(0)

should use mix case for function name

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter