Back to KIntern_NA's contests

Y2k Finance contest - KIntern_NA's results

A suite of structured products for assessing pegged asset risk.

General Information

Platform: Code4rena

Start Date: 14/09/2022

Pot Size: $50,000 USDC

Total HM: 25

Participants: 110

Period: 5 days

Judge: hickuphh3

Total Solo HM: 9

Id: 162

League: ETH

Y2k Finance

Findings Distribution

Researcher Performance

Rank: 45/110

Findings: 2

Award: $102.03

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryY2k Finance

Findings Information

🌟 Selected for report: hyh

Also found by: 0x4non, 0xNazgul, Haruxe, KIntern_NA, PwnPatrol, Respx, Tointer, joestakey, pauliax, peritoflores, rotcivegaf, scaraven

Labels

bug
duplicate
3 (High Risk)
satisfactory

Awards

85.8509 USDC - $85.85

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L215-L218

Vulnerability details

[2022-09-Y2K] Users's funds can be drained because of wrong condition in function withdraw()

tags: c4, 2022-09-y2k, medium

Affected code

https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L215-L218

Impact

In function withdraw() of contract Vault, this condition (in affected code) will check the approval of receiver instead of msg.sender. So attacker can call withdraw with receiver is any contract that owner approve to (like contract Vault), although attacker has no approval from owner. It will make users loss their funds that they deposited to contract Vault.

Proof of concept

  • Alice is a user that approve all to contract Vault : isApprovedForAll(address(Alice), address(Vault)) = true
  • Alice deposit to an epoch of contract Vault. Bob is attacker that have no approval from Alice, but he want to drain all Alice's fund.
  • After epoch end, Bob call withdraw before Alice with receiver is address of contract Vault.
  • Transaction will be successful because the condition in function withdraw() will check the approval of receiver instead of msg.sender. Then all Alice's WETH will be transfered to contract Vault and Alice will lose them forever.

Tools Used

Manual review

Replace receiver to msg.sender in this condition:

if(
    msg.sender != owner &&
    isApprovedForAll(owner, msg.sender) == false)
    revert OwnerDidNotAuthorize(msg.sender, owner);

#0 - MiguelBits

2022-10-03T21:06:24Z

dup https://github.com/code-423n4/2022-09-y2k-finance-findings/issues/434

#1 - HickupHH3

2022-10-17T03:33:40Z

Valid attack vector and impact explained in POC.

Findings Information

🌟 Selected for report: pfapostol

Also found by: 0x040, 0x1f8b, 0x4non, 0xNazgul, 0xSmartContract, 0xc0ffEE, 0xkatana, Aymen0909, Bnke0x0, Deivitto, Diana, JAGADESH, KIntern_NA, Lambda, MiloTruck, R2, RaymondFam, Respx, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, Ruhum, Saintcode_, Samatak, Sm4rty, SnowMan, Tomio, Tomo, WilliamAmbrozic, _Adam, __141345__, ajtra, ak1, async, c3phas, ch0bu, cryptostellar5, d3e4, delfin454000, dharma09, djxploit, durianSausage, eierina, erictee, fatherOfBlocks, gianganhnguyen, gogo, ignacio, imare, jag, jonatascm, leosathya, lukris02, malinariy, oyc_109, pashov, pauliax, peanuts, peiw, prasantgupta52, robee, rokinot, rotcivegaf, rvierdiiev, seyni, simon135, slowmoses, sryysryy, tnevler, zishansami

Awards

16.1756 USDC - $16.18

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

[2022-09-Y2K] gas reports

tags: c4, 2022-09-y2k, gas

should replace i++ to ++i

https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L443

no need to intialize variable = 0

https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L159

redundant call

https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L223

#0 - HickupHH3

2022-11-08T14:54:41Z

no need to intialize variable = 0

2k gas saved

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter