Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $55,000 USDC
Total HM: 29
Participants: 88
Period: 5 days
Judge: gzeon
Total Solo HM: 7
Id: 134
League: ETH
Rank: 11/88
Findings: 7
Award: $1,517.93
🌟 Selected for report: 1
🚀 Solo Findings: 0
🌟 Selected for report: Lambda
Also found by: 0x29A, Chom, cryptphi, itsmeSTYJ, kenzo, kirk-baird, sashik_eth
226.125 USDC - $226.12
In redeem, it is checked that the allowance is larger than underlyingAmount, which is the return parameter (i.e., equal to 0 at that point). Therefore, this check is always true and there is no actual allowance check, allowing anyone to redeem for another user.
Change the underlyingAmount to principalAmount, which is the intended parameter.
#0 - sourabhmarathe
2022-06-30T18:05:19Z
While we did not actually intend to audit the 5095 implementation, as 5095 itself is not yet final, we did describe its purpose in our codebase in the initial readme, and didn't specify that it was not in scope. (we wanted wardens to understand its role in our infra)
With that context, we will leave it up to the judges whether or not to accept issues related to the ERC5095 token.
#1 - gzeoneth
2022-07-16T15:38:01Z
I think it is fair to accept issues related to the ERC5095 token.
🌟 Selected for report: kenzo
Also found by: 0x29A, GimelSec, Lambda, StErMi, cccz, csanuragjain, kirk-baird, sashik_eth, shenwilly
https://github.com/code-423n4/2022-06-illuminate/blob/217ddfef05bc9df5c7b94f1c3226a46ee136b57d/marketplace/ERC5095.sol#L100 https://github.com/code-423n4/2022-06-illuminate/blob/217ddfef05bc9df5c7b94f1c3226a46ee136b57d/marketplace/ERC5095.sol#L116
In withdraw and redeem (where there is another issue that the wrong amount is checked, for which an own submission exists), the allowance is not decreased after withdrawal / redemption. A user that has an allowance for only a small value can therefore call the function multiple times to withdraw / redeem more than what would be allowed by the allowance.
We assume that Bob has 100 tokens gave Alice an allowance to spend 10 tokens. Alice now can call withdraw 10 times and pass 10 as underlyingAmount. Therefore, she gets all 100 tokens of Bob, although he did not allow that.
Change the underlyingAmount to principalAmount, which is the intended parameter.
#0 - KenzoAgada
2022-06-28T06:29:27Z
Duplicate of #245
🌟 Selected for report: Picodes
Also found by: Chom, Lambda, auditor0517, cryptphi, csanuragjain, hansfriese, hyh, kenzo, kirk-baird, pashov, unforgiven, zer0dot
82.1689 USDC - $82.17
In redeem, the original underlying token should be transferred back to the user when an iPT is redeemed. But the target of the transfer is actually address(this), i.e. the Redeemer.
Transfer the original underlying token to the user, as it is intended.
#0 - sourabhmarathe
2022-06-29T14:17:36Z
Duplicate of #384.
🌟 Selected for report: WatchPug
Also found by: Lambda, csanuragjain, datapunk
689.3003 USDC - $689.30
In redeem, the maturity is not checked. For Tempus, this can lead to problems (loss of funds), because it supports early redemption with a smaller payout. See here for the code of Tempus that sets the early withdrawal flag before the maturity. Therefore, when someone (that can be different to the user) initiates a redemption for Tempus, a user may get much less tokens back when he can initiate the iLP redemption after the maturity.
Disallow early redemption for Tempus, i.e. check that the maturity has passed.
#0 - sourabhmarathe
2022-06-29T17:20:28Z
Duplicate of #159.
In redeem, the following code is executed for Notional:
amount = INotional(principal).maxRedeem(address(this));
However, in contrast to the other calls that are performed there, this does not initiate any transfer and only returns the maximum amount, because the definition of maxRedeem in Notional is:
function maxRedeem(address owner) public view override returns (uint256) { return balanceOf(owner); }
Call redeem for Notional (see the definition here).
#0 - KenzoAgada
2022-06-28T08:28:41Z
Duplicate of #341
🌟 Selected for report: defsec
Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkowloon, 0xmint, Bnke0x0, BowTiedWardens, Chom, ElKu, Funen, GalloDaSballo, GimelSec, IllIllI, JC, Kenshin, Kulk0, Lambda, Limbooo, MadWookie, Metatron, Picodes, Soosh, StErMi, TomJ, WatchPug, Waze, Yiko, _Adam, ak1, asutorufos, aysha, bardamu, catchup, datapunk, delfin454000, dipp, fatherOfBlocks, grGred, hake, hansfriese, hyh, joestakey, kebabsec, kenzo, kirk-baird, oyc_109, pashov, poirots, rfa, robee, saian, sashik_eth, shenwilly, simon135, slywaters, z3s, zeesaw, zer0dot
85.2275 USDC - $85.23
lend methods, consider validating the p parameter (i.e., that it actually refers to the principal that the method expects). Otherwise, there can be security vulnerabilities when two principals share the same method(s) (which would not be too suprising, because they have similar functionality), in which case execution could still succeed, but with wrong values / assumptions.ERC20Permit.sol, there is duplicated code. DOMAIN_SEPERATOR() could be used instead.ecrecover is called without checking for invalid v and s values, which goes against best practices because of malleability (see https://0xsomeone.medium.com/b002-solidity-ec-signature-pitfalls-b24a0f91aef4 for details). Consider checking for those values or using OpenZeppelin's ECDSA library, which performs these checks for you.p is set to 0 when Redeem is emitted. This is wrong in this case, as p is not 0 in the else branch.authRedeem within Redeemer.sol, no Redeem event is emitted, which is inconsistent with the other redeem functions.🌟 Selected for report: BowTiedWardens
Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 0xkowloon, Bnke0x0, ElKu, Fitraldys, Funen, GalloDaSballo, IllIllI, JC, Kaiziron, Lambda, MadWookie, Noah3o6, Nyamcil, RoiEvenHaim, TomJ, Tomio, UnusualTurtle, Waze, _Adam, ajtra, asutorufos, bardamu, c3phas, catchup, datapunk, defsec, delfin454000, fatherOfBlocks, grGred, hake, hansfriese, hyh, ignacio, joestakey, kebabsec, ladboy233, oyc_109, pashov, poirots, rfa, robee, sach1r0, samruna, sashik_eth, simon135, slywaters, z3s, zer0dot
62.4602 USDC - $62.46