Platform: Code4rena
Start Date: 14/06/2022
Pot Size: $100,000 USDC
Total HM: 26
Participants: 59
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 9
Id: 133
League: ETH
Rank: 20/59
Findings: 8
Award: $1,537.16
๐ Selected for report: 2
๐ Solo Findings: 0
782.2807 CANTO - $126.34
126.3383 USDC - $126.34
The updateBaseRate(uint newBaseRatePerYear) function allows anyone to update the baseRatePerYear after a certain time has passed (determined by updateFrequency). The ability to update the baseRatePerYear should be admin only as suggested by the admin only function _setBaseRatePerYear() which also sets the baseRatePerYear (Line 139)
This allows anyone to change the baseRatePerYear.
require that the msg.sender is an admin.
#0 - nivasan1
2022-06-23T02:26:02Z
duplicate of #22
1207.2233 CANTO - $194.97
194.9666 USDC - $194.97
Allows anyone to steal all wrapped manifest from the WETH.sol contract. Attacker can also withdraw to convert Wrapped Manifest to Manifest.
Issue in approve(address owner, address spender) external function. This allows an attacker to approve themselves to spend another user's tokens.
Attacker can then use transferFrom(address src, address dst, uint wad) function to send tokens to themself.
Hardhat + Chai test to show exploit. Test file is test/POC.js https://github.com/soosh1337/POC_lending_market_WETH
VScode, hardhat
I believe there is no need for this function. There is another approve(address guy, uint wad) function that uses msg.sender to approve allowance. There should be no need for someone to approve another user's allowance.
Remove the approve(address owner, address spender) function.
#0 - GalloDaSballo
2022-08-04T17:59:02Z
The warden has shown how, for whatever reason, an approve function which allows to pass the "approver" as parameter was present in the WETH contract.
This allows anyone, to steal all WETH from any other holder.
For that reason, High Severity is appropriate
๐ Selected for report: Soosh
Also found by: 0x1f8b, Ruhum, TerrierLover, WatchPug, cccz, csanuragjain, hake, p4st13r4, zzzitron
782.2807 CANTO - $126.34
126.3383 USDC - $126.34
https://github.com/Plex-Engineer/manifest/blob/688e9b4e7835854c22ef44b045d6d226b784b4b8/contracts/Proposal-Store.sol#L46 https://github.com/Plex-Engineer/lending-market/blob/b93e2867a64b420ce6ce317f01c7834a7b6b17ca/contracts/Governance/GovernorBravoDelegate.sol#L37
Proposal Store is used to store proposals that have already passed (https://code4rena.com/contests/2022-06-new-blockchain-contest#unigov-module-615-sloc) " Upon a proposalโs passing, the proposalHandler either deploys the ProposalStore contract (if it is not already deployed) or appends the proposal into the ProposalStoreโs mapping ( uint โ Proposal)"
But anyone can add proposals to the contract directly via AddProposal() function.
Unigov proposals can be queued and executed by anyone in GovernorBravoDelegate contract https://github.com/Plex-Engineer/lending-market/blob/b93e2867a64b420ce6ce317f01c7834a7b6b17ca/contracts/Governance/GovernorBravoDelegate.sol#L37
Authorization checks for AddProposal, only governance module should be able to update
#0 - GalloDaSballo
2022-08-10T22:13:54Z
The warden has shown how, due to a lack of checks, anyone can create, queue, and execute a proposal without any particular checks.
Because governance normally is limited via:
And the finding shows how this is completely ignored;
I believe High Severity to be appropriate
320.9326 USDC - $320.93
1987.1989 CANTO - $320.93
https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/Comptroller.sol#L1469 https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/Comptroller.sol#L1376
The getWETHAddress() function in Comptroller.sol returns 0xc00e94Cb662C3520282E6f5717214004A7f26888 (Compound Token Contract Address) instead of 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 (WETH address).
Etherscan links: WETH: https://etherscan.io/address/0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2 COMP: https://etherscan.io/address/0xc00e94cb662c3520282e6f5717214004a7f26888
This function is used in grantCompInternal() which is used in _grantComp() and claimComp() public functions.
This will likely result in transfers of Comp instead of intended WETH.
Make getWETHAddress() return the correct address for WETH 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2
#0 - ecmendenhall
2022-06-21T21:56:22Z
#1 - nivasan1
2022-06-23T02:57:24Z
duplicate of #46
#2 - GalloDaSballo
2022-08-10T22:40:06Z
The submission missed the fact that the hardcoded address will cause reverts, however it get's duped up to high because it highlights the same root cause