Back to Rolezn's contests

Tigris Trade contest - Rolezn's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $90,500 USDC

Total HM: 35

Participants: 84

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 12

Id: 192

League: ETH

Tigris Trade

Findings Distribution

Researcher Performance

Rank: 60/84

Findings: 2

Award: $72.06

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTigris Trade

Findings Information

🌟 Selected for report: 0xdeadbeef0x

Also found by: 0x52, 8olidity, Faith, KingNFT, Rolezn, Ruhum, mookimgo, rbserver

Labels

2 (Med Risk)
satisfactory
duplicate-198

Awards

60.3691 USDC - $60.37

External Links

Link to GitHub issue

Judge has assessed an item in Issue #164 as M risk. The relevant finding follows:

[LOW‑1] The Contract Should approve(0) First Some tokens (like USDT L199) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.

Proof Of Concept 117: IERC20(assets[i]).approve(address(bondNFT), type(uint256).max); https://github.com/code-423n4/2022-12-tigris/tree/main/contracts/Lock.sol#L117

652: IERC20(_marginAsset).approve(_stableVault, type(uint).max); https://github.com/code-423n4/2022-12-tigris/tree/main/contracts/Trading.sol#L652

Recommended Mitigation Steps Approve with a zero amount first before setting the actual amount.

#0 - c4-judge

2023-01-22T20:25:21Z

GalloDaSballo marked the issue as duplicate of #198

#1 - c4-judge

2023-01-22T20:25:28Z

GalloDaSballo marked the issue as satisfactory

Findings Information

🌟 Selected for report: rbserver

Also found by: 0x52, 0xDecorativePineapple, 0xdeadbeef0x, 8olidity, Jeiwan, Rolezn, __141345__, bin2chen, eierina, fs0c, gzeon, joestakey, koxuan, kwhuo68, ladboy233, rvierdiiev, yixxas

Awards

11.6941 USDC - $11.69

Labels

bug
2 (Med Risk)
satisfactory
duplicate-655

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/tree/main/contracts/utils/TradingLibrary.sol#L113

Vulnerability details

Description

According to Chainlink’s documentation, the latestAnswer function is deprecated. This function might suddenly stop working if Chainlink stop supporting deprecated APIs. And the old API can return stale data.

<ins>Proof Of Concept</ins>
113: int256 assetChainlinkPriceInt = IPrice(_chainlinkFeed).latestAnswer();

https://github.com/code-423n4/2022-12-tigris/tree/main/contracts/utils/TradingLibrary.sol#L113

<ins>Recommended Mitigation Steps</ins>

Use the latestRoundData function to get the price instead. Add checks on the return data with proper revert messages if the price is stale or the round is uncomplet. See docs for reference: https://docs.chain.link/docs/price-feeds-api-reference/

#0 - c4-judge

2022-12-20T16:35:05Z

GalloDaSballo marked the issue as duplicate of #655

#1 - c4-judge

2023-01-22T17:31:06Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter