Back to QiuhaoLi's contests

Arcade.xyz - QiuhaoLi's results

The first of its kind Web3 platform to enable liquid lending markets for NFTs.

General Information

Platform: Code4rena

Start Date: 21/07/2023

Pot Size: $90,500 USDC

Total HM: 8

Participants: 60

Period: 7 days

Judge: 0xean

Total Solo HM: 2

Id: 264

League: ETH

Arcade.xyz

Findings Distribution

Researcher Performance

Rank: 47/60

Findings: 2

Award: $194.68

QA:
grade-a

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryArcade.xyz

Findings Information

🌟 Selected for report: LaScaloneta

Also found by: 0xComfyCat, 0xDING99YA, 0xnev, ABA, BugBusters, DadeKuma, MohammedRizwan, QiuhaoLi, Sathish9098, Udsen, ak1, bart1e, immeas, koxuan, ladboy233, matrix_0wl, oakcobalt, squeaky_cactus, zhaojie

Awards

194.678 USDC - $194.68

Labels

bug
downgraded by judge
grade-a
QA (Quality Assurance)
sponsor acknowledged
Q-02

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/ArcadeTreasury.sol#L340

Vulnerability details

Impact

Detailed description of the impact of this finding.

Proof of Concept

To prevent the admin calling tokens' addresses directly and bypassing spending functions, we check if spendThresholds[targets[i]].small != 0 in the batchCalls():

    function batchCalls(
        address[] memory targets,
        bytes[] calldata calldatas
    ) external onlyRole(ADMIN_ROLE) nonReentrant {
        if (targets.length != calldatas.length) revert T_ArrayLengthMismatch();
        // execute a package of low level calls
        for (uint256 i = 0; i < targets.length; ++i) {
            if (spendThresholds[targets[i]].small != 0) revert T_InvalidTarget(targets[i]);

However, the check can be bypassed, e.g.:

  1. Admin makes AcradeTreasury calls token A contract, which is not setThreshold yet.
  2. AcradeTreasury calls A.approve(spender, amount).
  3. AcradeTreasury is deposited with token A.
  4. The spender spends the tokens, bypassing the spend functions.

Tools Used

Manual Review

An ad-hoc fix may be forbidding any token (including ones not set thresholds yet) contract calls. But in the long term, I think we should limit what admin can call with finer-grained functions and void this batchCalls funciton.

Assessed type

ERC20

#0 - 141345

2023-07-31T09:07:01Z

previlidged functions, and the proposal needs to go through vote. Quite difficult to meet both.

#1 - c4-sponsor

2023-08-04T14:15:30Z

PowVT marked the issue as sponsor acknowledged

#2 - PowVT

2023-08-04T14:17:38Z

This would have to pass through a governance vote and pass the timelock waiting period to be executed. The intention at launch is that high value and prominent tokens will have their initial thresholds set at launch before the treasury is handed over to governance. This way the thresholds are already in place and scenarios like this one will be blocked.

#3 - c4-judge

2023-08-10T20:11:07Z

0xean changed the severity to QA (Quality Assurance)

#4 - 0xean

2023-08-10T23:09:01Z

Using this issue to score all of wardens findings that have been marked as QA

#5 - c4-judge

2023-08-10T23:09:44Z

0xean marked the issue as grade-a

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter