Back to Soosh's contests

Illuminate contest - Soosh's results

Your Sole Source For Fixed-Yields.

General Information

Platform: Code4rena

Start Date: 21/06/2022

Pot Size: $55,000 USDC

Total HM: 29

Participants: 88

Period: 5 days

Judge: gzeon

Total Solo HM: 7

Id: 134

League: ETH

Illuminate

Findings Distribution

Researcher Performance

Rank: 43/88

Findings: 2

Award: $146.11

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryIlluminate

Findings Information

🌟 Selected for report: hyh

Also found by: 0x1f8b, 0x29A, Chom, Soosh, cccz, csanuragjain, hansfriese, itsmeSTYJ, kenzo, pashov, shenwilly, unforgiven

Labels

bug
duplicate
3 (High Risk)

Awards

82.1689 USDC - $82.17

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/redeemer/Redeemer.sol#L107

Vulnerability details

Impact

In the redeem(p,u,m,o) function of Redeemer.sol:

// Burn the prinicipal token from Illuminate
            token.burn(o, amount);

will burn the tokens from address o by amount. This address o is specified by the caller of the function so it can be any address the caller chooses. the burn() function itself (implemented in ERC5095.sol) only checks if there is enough balance to burn, not who is calling the function.

This allows Alice with x amount of principal tokens to burn x amount of Bob's principal tokens (by specifying address o as Bob's address) when redeeming. As long as Bob has enough principal tokens to burn and both Alice and Bob are in the same market.

Proof of Concept

Vulnerable burn() in redeem(): https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/redeemer/Redeemer.sol#L126 Implementation of burn ERC5095.sol: https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/marketplace/ERC5095.sol#L124

I believe address o should not be able to be specified by any users.

#0 - sourabhmarathe

2022-06-28T20:39:54Z

Duplicate of #387.

Findings Information

🌟 Selected for report: defsec

Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkowloon, 0xmint, Bnke0x0, BowTiedWardens, Chom, ElKu, Funen, GalloDaSballo, GimelSec, IllIllI, JC, Kenshin, Kulk0, Lambda, Limbooo, MadWookie, Metatron, Picodes, Soosh, StErMi, TomJ, WatchPug, Waze, Yiko, _Adam, ak1, asutorufos, aysha, bardamu, catchup, datapunk, delfin454000, dipp, fatherOfBlocks, grGred, hake, hansfriese, hyh, joestakey, kebabsec, kenzo, kirk-baird, oyc_109, pashov, poirots, rfa, robee, saian, sashik_eth, shenwilly, simon135, slywaters, z3s, zeesaw, zer0dot

Awards

63.9425 USDC - $63.94

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

mint() in Lender.sol can increase illuminate ERC5095 token supply arbitrarily

The mint() function allows user to specify the principal (p) for the market. This can be set to zero to select the illuminate ERC5095 token itself.

markets[u][m][0] = iToken

This will transfer the users ERC5095 tokens (which can be gotten from previous mint function calls) to the contract and mint new ERC5095 tokens. The attacker can keep doing this to increase the totalSupply of ERC5095 tokens in existence.

Impact

increase totalSupply of ERC5095 illuminate tokens to a higher number than expected. Also increases the number of ERC5095 tokens in the Lender.sol contract. These effects may not be expected.

Relevant code

The mint() function: https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/lender/Lender.sol#L167

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter