Back to KmanOfficial's contests

veRWA - KmanOfficial's results

Incentivization Primitive for Real World Assets on Canto

General Information

Platform: Code4rena

Start Date: 07/08/2023

Pot Size: $36,500 USDC

Total HM: 11

Participants: 125

Period: 3 days

Judge: alcueca

Total Solo HM: 4

Id: 274

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 50/125

Findings: 2

Award: $31.42

QA:
grade-a

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: ltyu

Also found by: 0xDING99YA, 3docSec, KmanOfficial, MrPotatoMagic, RED-LOTUS-REACH, Tendency, Yuki, bart1e, bin2chen, carrotsmuggler, cducrest, kaden, mert_eren, pep7siup, popular00, qpzm, seerether, zhaojie

Awards

21.6049 USDC - $21.60

Labels

bug
3 (High Risk)
partial-50
upgraded by judge
duplicate-268

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol#L288-L323 https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol#L356-L387 https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol#L268-L284

Vulnerability details

Impact

Creating a lock (createLock) allows the user to lock CANTO tokens for a fixed time of 5 years from the current block.timestamp of when the transaction is executed on chain and this is rounded down to the nearest week relative to block.timestamp + 1825 days. The user can choose to delegate their locked CANTO and hence voting power to another address if the created lock of the delegate address ends at the same time or after the user's own created lock.

If the user only locks and delegates and doesn't choose to increaseAmount of CANTO that they lock during their initial locking period, when both the msg.sender (user) and delegatee's lock end timestamp has been reached the end user will not be able to remove undelegate and be able to withdraw.

The user also wouldn't be able to create a new lock either or increase the amount within their current lock in order to extend the lock time by another 5 years to allow the undelegate action. This is because in the first scenario as there is already tokens locked, createLock would revert (require(locked_.amount == 0, "Lock exists");). In the second scenario, you can only increase the amount within the lock if the lock has not expired which in this scenario it would of expired (require(locked_.end > block.timestamp, "Lock expired");).

This means user funds could be stuck in the VotingEscrow contract.

Proof of Concept

Pseudo Scenario:

  • Entity A locks 10 CANTO which creates a lock that expires in 5 years. 2 weeks passes
  • Entity B locks 100 CANTO, which creates a lock that expires in 5 years. (Expires 5 years + 2 weeks later relative to Entity A)
  • Entity A decides to delegate their locked CANTO to Entity B. This is allowed as Entity B's lock end is greater than Entity A. 5 years + 2 weeks passes
  • Entity A wants to undelegate their locked CANTO and withdraw - unable to delegate because of the condition in the delegate() function leading to a revert (https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol#L383)

With Entity A unable to create a new lock or increase amount within lock, albeit these should be unnecessary actions to recover their funds, their CANTO is permanently locked within in the contract. They can only delegate to another address that has a current lock, but will still nevertheless be able to withdraw.

Tools Used

Manual Code Review, VS Code

Allow un-delegation either unconditionally or if both the delegatee and the user's lock have both expired depending on how the protocol wants to handle this.

Assessed type

Other

#0 - c4-pre-sort

2023-08-11T11:55:38Z

141345 marked the issue as duplicate of #223

#1 - c4-pre-sort

2023-08-13T12:00:42Z

141345 marked the issue as duplicate of #112

#2 - c4-judge

2023-08-24T07:16:10Z

alcueca marked the issue as duplicate of #82

#3 - c4-judge

2023-08-24T07:20:40Z

alcueca changed the severity to 2 (Med Risk)

#4 - c4-judge

2023-08-24T07:29:38Z

alcueca marked the issue as partial-50

#5 - c4-pre-sort

2023-08-24T08:20:08Z

141345 marked the issue as not a duplicate

#6 - c4-pre-sort

2023-08-24T08:20:24Z

141345 marked the issue as not a duplicate

#7 - c4-pre-sort

2023-08-24T08:22:51Z

141345 marked the issue as duplicate of #211

#8 - c4-judge

2023-08-24T21:16:08Z

alcueca marked the issue as partial-50

#9 - c4-judge

2023-08-26T21:24:28Z

alcueca changed the severity to 3 (High Risk)

#10 - KmanProdz

2023-08-29T13:41:54Z

@alcueca @c4-judge Thank you for the upgrade back up to a high risk vulnerability status. May I ask why I was awarded only 50% partial credit? I explained in depth (potentially more/level with the primary issue) and offered an open mitigation decision depending on how the protocol developers would like to handle this specific scenario to stop the loss of funds.

Findings Information

🌟 Selected for report: RED-LOTUS-REACH

Also found by: 0x3b, 0x4non, 0xCiphky, 0xDING99YA, 0xDetermination, 0xE1, 0xG0P1, 0xStalin, 0xWaitress, 0xbrett8571, 0xhacksmithh, 0xkazim, 0xmuxyz, 0xweb3boy, 14si2o_Flint, AlexCzm, Alhakista, Bube, Bughunter101, Deekshith99, Eeyore, Giorgio, HChang26, InAllHonesty, JP_Courses, KmanOfficial, MatricksDeCoder, Mike_Bello90, MrPotatoMagic, Naubit, QiuhaoLi, RHaO-sec, Raihan, Rolezn, SUPERMAN_I4G, Shubham, Silverskrrrt, Strausses, T1MOH, Topmark, Tripathi, Watermelon, _eperezok, aakansha, auditsea, audityourcontracts, ayden, carlos__alegre, castle_chain, cducrest, ch0bu, d23e, deadrxsezzz, deth, devival, erebus, fatherOfBlocks, halden, hassan-truscova, hpsb, hunter_w3b, imkapadia, immeas, jat, kaden, kaveyjoe, klau5, koxuan, kutugu, ladboy233, lanrebayode77, leasowillow, lsaudit, markus_ether, matrix_0wl, merlin, nemveer, ni8mare, nonseodion, oakcobalt, owadez, p_crypt0, pipidu83, piyushshukla, popular00, ppetrov, rjs, sandy, sl1, supervrijdag, tay054, thekmj, wahedtalash77, windhustler, zhaojie

Awards

9.8204 USDC - $9.82

Labels

bug
grade-a
QA (Quality Assurance)
edited-by-warden
Q-49

External Links

Link to GitHub issue

[QA-1] "//See IVotingEscrow for documentation" comment should be removed and description of each function should be added as there isn't an interface for VotingEscrow in this project or IVotingEscrow.sol should be added and utilised.

As this was forked or inspired by the FIAT DAO repo, this comment was most likely from there. It should be removed and replaced with the function descriptions for more clarity when reading through the contract.

Instances:

https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol#L267 https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol#L286 https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol#L327 https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol#L360 https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol#L477 https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol#L491 https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol#L569 https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol#L576

[QA-2] createLock has an unnecessary nonReentrant Modifier

https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol#L268

This function has no route or possibility for an arbitrary call to take place that would allow for an reentrancy attack so it is unnecessary despite it not affecting execution flow. It could be removed to save on unnecessary gas execution and for code principle.

#0 - c4-judge

2023-08-22T14:01:35Z

alcueca marked the issue as grade-a

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter