Back to Meta0xNull's contests

Boot Finance contest - Meta0xNull's results

Custom DEX AMM for Defi Projects

General Information

Platform: Code4rena

Start Date: 04/11/2021

Pot Size: $50,000 USDC

Total HM: 20

Participants: 28

Period: 7 days

Judge: 0xean

Total Solo HM: 11

Id: 51

League: ETH

Boot Finance

Findings Distribution

Researcher Performance

Rank: 6/28

Findings: 3

Award: $3,234.11

🌟 Selected for report: 3

🚀 Solo Findings: 1

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBoot Finance

Findings Information

🌟 Selected for report: Meta0xNull

Labels

bug
3 (High Risk)
sponsor acknowledged

Awards

2907.6165 USDC - $2,907.62

External Links

Link to GitHub issue

Handle

Meta0xNull

Vulnerability details

Impact

When add investor, addInvestor() does not check how many tokens is available from investors_supply. The total tokens allocated for Investors could more than investors_supply.

Possible Attack Scenario:

  1. Attacker who have Admin Private key call addInvestor() and Input _amount >= investors_supply.
  2. Attacker can Claim All Available Tokens Now.

Proof of Concept

https://github.com/code-423n4/2021-11-bootfinance/blob/main/vesting/contracts/InvestorDistribution.sol#L85-L94

Tools Used

Manual Review

  1. Add require(_amount <= (investors_supply - Allocated_Amount))
  2. When Add an Investor add the amount to Allocated_Amount with SafeMath

#0 - chickenpie347

2021-11-16T14:17:23Z

While this is true, the addInvestor would be a one-time routine at deployment which would precisely send the allocated number of tokens to the contract as per to the allocatations.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter