Platform: Code4rena
Start Date: 28/06/2022
Pot Size: $25,000 USDC
Total HM: 14
Participants: 50
Period: 4 days
Judge: GalloDaSballo
Total Solo HM: 7
Id: 141
League: ETH
Rank: 5/50
Findings: 4
Award: $2,274.77
π Selected for report: 1
π Solo Findings: 0
1074.0464 USDC - $1,074.05
In doTransferOut, the underlying balance of the CNote has to be 0 after the transfer. While this works fine when the underlying balance of the CNote was 0 before the call (i.e., in the normal case), the function will always revert when the balance was greater than 0 before the transfer. An attacker can therefore block all withdrawals by sending a tiny amount of the underlying token to the CNote.
User A holds multiple CNotes with an arbitrary underlying Token TKN. After some time, he wants to redeem his CNote for TKN and therefore calls redeemFresh. However, before he does that, an attacker transfers 1 TKN to the contract address of the CNote. In doTransferOut, amount is sent to the CNote and then transferred to user A. However, after the transfer, token.balanceOf(address(this)) > 0, meaning the transfer will always fail.
Store the balance before the transfer and check that the difference is equal to the amount.
#0 - GalloDaSballo
2022-08-16T15:49:54Z
Dup of #43
1074.0464 USDC - $1,074.05
https://github.com/Plex-Engineer/lending-market-v2/blob/2646a7676b721db8a7754bf5503dcd712eab2f8a/contracts/NoteInterest.sol#L118 https://github.com/Plex-Engineer/lending-market-v2/blob/2646a7676b721db8a7754bf5503dcd712eab2f8a/contracts/CToken.sol#L209
According to the documentation in InterestRateModel, getBorrowRate has to return the borrow rate per block and the function borrowRatePerBlock in CToken directly returns the value of getBorrowRate. However, the rate per year is returned for NoteInterest. Therefore, using NoteInterest as an interest model will result in completely wrong values.
Return baseRatePerBlock.
#0 - GalloDaSballo
2022-08-16T16:54:34Z
The warden has shown that the borroRate is returning per-year values instead of per-block values
The effect of this is that the accounting will be magnified massively.
While impact should be mostly loss of value to interest and incorrect yield, due to the math being wrong I do agree with High Severity
π Selected for report: zzzitron
Also found by: 0v3rf10w, 0x1f8b, 0x29A, AlleyCat, Bnke0x0, Chom, Funen, JC, Lambda, Limbooo, Meera, Picodes, Sm4rty, TerrierLover, TomJ, __141345__, asutorufos, aysha, c3phas, cccz, defsec, fatherOfBlocks, grGred, hake, ignacio, ladboy233, mrpathfindr, oyc_109, rfa, sach1r0, samruna, slywaters, ynnad
104.8725 USDC - $104.87
AddProposal (https://github.com/Plex-Engineer/manifest-v2/blob/3aedf21400a470a50c9be6e38f1ca57f061eca46/contracts/Proposal-Store.sol#L46). This is probably not desired, as an approved proposal that is added to the store should be immutable. Consider checking if the proposal exists in the function.Proposal-Store.sol is wrong and seems to be copied from ERC20DirectBalanceManipulation.sol.NoteInterest.sol, it is mentioned that adjusterCoefficient has a default value of 1, although there is no default value.CErc20.sol is problematic for tokens that have multiple entry points (see https://github.com/d-xo/weird-erc20), as an admin can then take over all of the underlying tokens.setAccountantContract to avoid errors.ProposalStore.go, this comment refers to the wrong variable.doTransferIn of the contract CNote, this comment is wrong, as there is no underflow that can occur there.#0 - GalloDaSballo
2022-08-13T22:48:02Z
Valid Low
NC
Because the comment leads to believe the intended default value should be 1, but the value is 0, I think Low is appropriate
This is the TUSD vuln, I think exploited against Rari or Scream
See POC: https://github.com/Rivaill/CryptoVulhub/tree/master/CompoundTUSDSweepTokenBypass
Valid Low
NC
NC
Amazing little report, decent format, concise, great to see!
#1 - GalloDaSballo
2022-08-13T22:48:16Z
4L 3NC
#2 - GalloDaSballo
2022-08-16T21:12:19Z
Because no Med Submission mentioned the double address, I think Low is still correct here
Additionally, with the information that we have (Code under scope), the sponsor is not going to deploy a token with two addresses, so for that reason I think Low is appropriate
π Selected for report: 0x1f8b
Also found by: 0x29A, 0xArshia, 0xKitsune, Bnke0x0, Chom, Fitraldys, Funen, JC, Lambda, Meera, Noah3o6, Picodes, RedOneN, Rohan16, Sm4rty, TerrierLover, TomJ, Tomio, Waze, ajtra, c3phas, cRat1st0s, defsec, durianSausage, fatherOfBlocks, grGred, hake, ladboy233, m_Rassska, mrpathfindr, oyc_109, rfa, ynnad
21.8032 USDC - $21.80
In NoteInterest.sol and Timelock.sol, SafeMath is used, although the Solidity version is >= 0.8.0.
#0 - GalloDaSballo
2022-08-14T20:50:37Z
Saves 20 gas