FairSide contest - Ruhum's results

Decentralized Cost Sharing Network.

General Information

Platform: Code4rena

Start Date: 09/11/2021

Pot Size: $30,000 ETH

Total HM: 6

Participants: 17

Period: 3 days

Judge: pauliax

Total Solo HM: 3

Id: 50

League: ETH

FairSide

Findings Distribution

Researcher Performance

Rank: 8/17

Findings: 1

Award: $732.92

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository FairSide

Findings Information

🌟 Selected for report: Ruhum

Labels

bug

1 (Low Risk)

sponsor confirmed

Awards

0.131 ETH - $619.94

External Links

Link to GitHub issue

Handle

Ruhum

Vulnerability details

Impact

The comment for the disableOffchainVoting() function specifies that the feature can be reenabled in the future through a proposal. But, there seems to be no function to do that in the DAO contract.

Proof of Concept

Function with the comment: https://github.com/code-423n4/2021-11-fairside/blob/main/contracts/dao/FairSideDAO.sol#L619

No way to reassign the value: grep offchain

Tools Used

Manual Analysis

Recommended Mitigation Steps

Either remove the comment if the feature is not intended or add a function to reassign the offchain and guardian state variable

#0 - pauliax
2021-11-17T16:09:10Z

Great find, it should be possible to enable the off-chain voting again or this misleading comment needs to be deleted.

Findings Information

🌟 Selected for report: cmichel

Also found by: Ruhum, rfa, ye0lde

Labels

bug

duplicate

1 (Low Risk)

sponsor disputed

Awards

0.0239 ETH - $112.98

External Links

Link to GitHub issue

Handle

Ruhum

Vulnerability details

Impact

There are a couple of spots in the codebase where SafeMath isn't used. But, there are a handful of ones that caught my eye since they do arithmetic using user input. In this case, the msg.value property. Technically, the user is able to trigger an underflow here. I didn't have time to review the math to fully grasp the possible attack scenario. Nevertheless, I wanted to raise the issue since I don't think the possible underflow is intended.

Proof of Concept

https://github.com/code-423n4/2021-11-fairside/blob/main/contracts/token/FSD.sol#L176

https://github.com/code-423n4/2021-11-fairside/blob/main/contracts/token/FSD.sol#L216

https://github.com/code-423n4/2021-11-fairside/blob/main/contracts/token/FSD.sol#L244

Depending on the amount of ETH in the contract and the already pending withdrawals the user can cause an underflow here.

https://github.com/code-423n4/2021-11-fairside/blob/main/contracts/token/FSD.sol#L281

Tools Used

Manual Analysis

Recommended Mitigation Steps

Use SafeMath instead of Solidity's own math logic.

#0 - YunChe404
2021-11-14T16:36:18Z

The getReserveBalance() will be increased by bonded/msg.value at the start of this call, so unchecked subtractions are protected. Also pending withdrawals are always lesser than the ether balance of the token

#1 - pauliax
2021-11-19T11:00:58Z

A duplicate of #71, please read the comment there.

FairSide contest - Ruhum's results

Decentralized Cost Sharing Network.

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $732.92

QA Report - $732.92

🚀 [L-01] Offchain voting can't be renabled in DAO - $619.94

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - pauliax2021-11-17T16:09:10Z

[L-06] FSD.sol `mint()`, `mintHatch()`, `mintBeta()`, and `burn()` are susceptible to integer underflows - $112.98

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - YunChe4042021-11-14T16:36:18Z

#1 - pauliax2021-11-19T11:00:58Z

#0 - pauliax
2021-11-17T16:09:10Z

#0 - YunChe404
2021-11-14T16:36:18Z

#1 - pauliax
2021-11-19T11:00:58Z