Back to Secureverse's contests

Tigris Trade contest - Secureverse's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $90,500 USDC

Total HM: 35

Participants: 84

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 12

Id: 192

League: ETH

Tigris Trade

Findings Distribution

Researcher Performance

Rank: 54/84

Findings: 1

Award: $133.36

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTigris Trade

Findings Information

🌟 Selected for report: 0xsomeone

Also found by: 0xhacksmithh, 8olidity, Critical, Ruhum, SamGMK, Secureverse, Tointer, __141345__, aviggiano, rotcivegaf

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
duplicate-462

Awards

133.3608 USDC - $133.36

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L44-L51 https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L65-L72

Vulnerability details

Impact

This scenario will have impact when there are multiple token listed to this platform, and due to some reason they have price difference among them. Malicious user simply deposit less valuable token to this platform and withdraw more valuable token from this contract. Another situation when a stable coin is on verge of collapse(recently happen with UST), Users can front-run delistToken() function by owner and deposit their collapsing token withdraw other token, that will cause other users to suffer from token loss.

Proof of Concept

After depositing one type token, user can able to withdraw any other type of listed token(because in withdrawing case it only check caller's tigris stable token balance and burn those, in return transfer same amount of listed tokens).

Let USDT and DAI have some price difference because DAI is collapsing(Hypothetically) I deposit() 1000 DAI Contract mint back 1000 tigris stable token I notice price difference I call withdraw() with 1000 tigris stable token with USDT address Successfully withdraw 1000 USDT By making these transaction i'm stealing other users funds

There is a delisting option delistToken() available for owner to delist a token any time, but that can be front-runned

    function deposit(address _token, uint256 _amount) public {  
        require(allowed[_token], "Token not listed");
        IERC20(_token).transferFrom(_msgSender(), address(this), _amount);
        IERC20Mintable(stable).mintFor(
            _msgSender(),
            _amount*(10**(18-IERC20Mintable(_token).decimals()))
        );
    }

    function withdraw(address _token, uint256 _amount) external returns (uint256 _output) {
        IERC20Mintable(stable).burnFrom(_msgSender(), _amount);
        _output = _amount/10**(18-IERC20Mintable(_token).decimals());
        IERC20(_token).transfer(
            _msgSender(),
            _output
        );
    }

Tools Used

Manual Review

Should mint separate tigris stable token for different listed token like other protocol, Like aave mints different aToken for different listed token.

#0 - GalloDaSballo

2022-12-19T23:00:50Z

I think you're missing the forest for the tree

The system allows free arbitrage (worsened in case of depeg)

This is akin to a swap

I will dup to the rest of the "no liquidity premium", but I think I'll have to mark as dup at 50%

#1 - c4-judge

2022-12-20T16:12:35Z

GalloDaSballo marked the issue as duplicate of #462

#2 - c4-judge

2022-12-20T16:13:16Z

GalloDaSballo changed the severity to 3 (High Risk)

#3 - c4-judge

2023-01-22T17:36:53Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter