Back to Lambda's contests

QuickSwap and StellaSwap contest - Lambda's results

A concentrated liquidity DEX with dynamic fees.

General Information

Platform: Code4rena

Start Date: 26/09/2022

Pot Size: $50,000 USDC

Total HM: 13

Participants: 113

Period: 5 days

Judge: 0xean

Total Solo HM: 6

Id: 166

League: ETH

QuickSwap and StellaSwap

Findings Distribution

Researcher Performance

Rank: 4/113

Findings: 3

Award: $4,186.23

🌟 Selected for report: 1

🚀 Solo Findings: 1

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryQuickSwap and StellaSwap

Findings Information

🌟 Selected for report: rbserver

Also found by: Lambda, imare

Labels

bug
duplicate
2 (Med Risk)
sponsor disputed

Awards

878.9235 USDC - $878.92

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-quickswap/blob/2ead456d3603d8a4d839cf88f1e41c102b5d040f/src/core/contracts/AlgebraPool.sol#L608

Vulnerability details

Impact

When a user transfers too much tokens within the _swapCallback, the additional tokens are not reimbursed. It is only required that he transferred at least the amount0 / amount1, but if he transferred more, this will also be accepted (which is generally fine). However, in such a situation, the additional tokens should be reimbursed to the user to avoid overpaying for the swap.

Proof of Concept

  • A user performs a USDC/ETH swap and would need to transfer 1000 USDC.
  • Instead, he transfers 1050 USDC.
  • The swap goes through, but the user does not get back the 50 USDC that were not required for the swap to suceed.

Reimburse the additional tokens after the swap.

#0 - sameepsi

2022-10-04T06:59:59Z

Additionl periphery contracts are required to do extra sanitary checks including slippage checks.

#1 - 0xean

2022-10-06T19:12:31Z

dupe of #255

Findings Information

🌟 Selected for report: Lambda

Labels

bug
2 (Med Risk)
sponsor acknowledged

Awards

3255.2724 USDC - $3,255.27

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-quickswap/blob/2ead456d3603d8a4d839cf88f1e41c102b5d040f/src/core/contracts/libraries/DataStorage.sol#L53

Vulnerability details

Impact

The system calculates the volatility over a time period like this:

δ(t)=1T∑τ∈[t−T,t](P(τ)−Pˉ(τ))2\delta(t)=\frac{1}{T} \sum_{\tau \in[t-T, t]}(P(\tau)-\bar{P}(\tau))^{2}

However, while this estimator is consistent (it converges in probability as the number of samples goes to infinity), it is biased and the produced estimates for finite sample sizes will be generally too low. This will result in fees that are lower than they should be (because the volatility is underestimated) and therefore hurt users.

Apply Bessel's correction to get an unbiased estimate, i.e.:

δ(t)=1T−1∑τ∈[t−T,t](P(τ)−Pˉ(τ))2\delta(t)=\frac{1}{T - 1} \sum_{\tau \in[t-T, t]}(P(\tau)-\bar{P}(\tau))^{2}

#0 - vladyan18

2022-10-03T15:26:35Z

I believe the current sample size which is 1 day (86 400 seconds) makes Bessel's correction redundant.

However, it can play a role in special situations, like here https://github.com/code-423n4/2022-09-quickswap/blob/2ead456d3603d8a4d839cf88f1e41c102b5d040f/src/core/contracts/libraries/DataStorage.sol#L354

Findings Information

🌟 Selected for report: 0xNazgul

Also found by: 0x1f8b, 0x52, 0xDecorativePineapple, 0xSmartContract, 0xmatt, Aeros, Aymen0909, Bnke0x0, Chom, CodingNameKiki, Deivitto, DimitarDimitrov, IllIllI, JC, Jeiwan, Lambda, Matin, Migue, Mukund, Ocean_Sky, Olivierdem, RaymondFam, RockingMiles, Rolezn, Ruhum, Satyam_Sharma, Shinchan, Tomo, Trabajo_de_mates, V_B, Waze, __141345__, a12jmx, ajtra, asutorufos, aysha, brgltd, bulej93, carrotsmuggler, catchup, cccz, chrisdior4, cryptonue, cryptphi, d3e4, defsec, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, kaden, karanctf, ladboy233, lukris02, mahdikarimi, martin, mics, natzuu, oyc_109, p_crypt0, pedr02b2, rbserver, reassor, rotcivegaf, rvierdiiev, sikorico, slowmoses, sorrynotsorry, tnevler, trustindistrust

Awards

52.0351 USDC - $52.04

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue
  • In AlgebraFactory.setOwner, consider implementing a two-step ownership change process (with a confirmation from the new owner). Otherwise, you risk that the owner is set to a wrong address, which will be non-recoverable.
  • In AlgebraFactory.createPool, it is checked that token0 (the one with the lower address) is not zero. It would be better to require that token1 (the one with the higher address) is not zero, as this would ensure that both are not zero. Currently, token1 can be zero, as long as token0 is not.
  • The system uses uint32 for timestamps. This will only work until February 2106 and the contracts will be unusable afterwards.
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter