Platform: Code4rena
Start Date: 28/09/2023
Pot Size: $36,500 USDC
Total HM: 5
Participants: 115
Period: 6 days
Judge: 0xDjango
Total Solo HM: 1
Id: 290
League: ETH
Rank: 20/115
Findings: 2
Award: $230.75
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xDetermination
Also found by: DeFiHackLabs, Norah, Pessimistic, PwnStars, SpicyMeatball, Testerbot, ThreeSigma, bin2chen, blutorque, deadrxsezzz, dirk_y, ether_sky, hals, neumo, rokinot, said, seerether, turvy_fuzz
198.4834 USDC - $198.48
https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L704-L719 https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L200-L230
In Prime.sol, updateScores function update user scores in case of parameter changes (for example, when score formula is changed). This function should be called for every user whose score has not been updated since the last time _startScoreUpdateRound function was invoked.
The number of users who still need to update the score is stored in the pendingScoreUpdates variable. If the user's score was updated in the current round, the isScoreUpdated[nextScoreUpdateRoundId][user] variable is set to true for that user. Such a user does not decrease the pendingScoreUpdates variable if someone tries to update their score again.
If the user minted a new token in the current round, they should not be eligible for an update. Therefore, such a user should not decrease the pendingScoreUpdates variable if their user address is provided to the updateScores function. However, in the current implementation, there is no check for this behaviour. If a new user provides their address to the updateScores function, they will decrease the pendingScoreUpdates value since isScoreUpdated[nextScoreUpdateRoundId][user] variable is equal to false for them. As a result, some other users who require the update will not be able to update their scores in batch with the updateScores function due to check at line 201:
if (pendingScoreUpdates == 0) revert NoScoreUpdatesRequired();
Note, that these users is still able to update their score by calling xvsUpdated function, however updateScores function would not work.
As a result of the aforementioned issue, some user scores would not be updated since the updateScores function will malfunction due to the incorrect pendingScoreUpdates variable. The score of each individual user can still be updated by calling the xvsUpdated function. However, this approach is inconvenient since the xvs balance was not actually changed for them.
Furthermore, it is worth noting that since pendingScoreUpdates is a public variable, its incorrectness can affect the functioning of external services that rely on accurate data from the contract. If the monitoring of the protocol relies of the pendingScoreUpdates variable and updateScores function for updates, it is easy to oversee the unchanged score for a user. As a result, someone will retain their old score:
We recommend setting the isScoreUpdated[nextScoreUpdateRoundId][user] value to true when the token is minted, as these users do not require a score update in the current round.
Invalid Validation
#0 - c4-pre-sort
2023-10-04T23:03:11Z
0xRobocop marked the issue as duplicate of #555
#1 - c4-judge
2023-11-01T20:28:48Z
fatherGoose1 marked the issue as satisfactory
#2 - c4-judge
2023-11-05T00:52:22Z
fatherGoose1 changed the severity to 3 (High Risk)
🌟 Selected for report: 0xDetermination
Also found by: 0xblackskull, 0xweb3boy, ADM, Breeje, Pessimistic, PwnStars, SBSecurity, Satyam_Sharma, ThreeSigma, al88nsk, blutorque, debo, dethera, maanas, neumo, oakcobalt, pina, said, sces60107, tapir, tsvetanovv, xAriextz
32.2731 USDC - $32.27
https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L208
In Prime.sol, in the updateScores function, there is a bug on line 208. This line contains a continue statement without incrementing the for loop iteration index (i). As a result, if someone provides a user address that is already updated, the updatedScores transaction will consume all provided gas in an endless loop.
There is one malicious scenario possible: a malicious agent can frontrun the updateScores function call with multiple addresses by updating a single user's score from that batch. As a result, batch update will fail.
This behavior does not lead to a profit for an attacker, but it disrupts all attempts to batch update scores. For a system with multiple users, it is crucial to have batch update functions in order to save gas on updates.
To mitigate this issue, we recommend incrementing the loop index before the continue statement. In that case, even if the batch contains an already updated user, the transaction would not fail.
Loop
#0 - c4-pre-sort
2023-10-04T22:44:46Z
0xRobocop marked the issue as duplicate of #556
#1 - c4-judge
2023-11-01T20:26:49Z
fatherGoose1 marked the issue as satisfactory