Back to TerrierLover's contests

Connext Amarok contest - TerrierLover's results

The interoperability protocol of L2 Ethereum.

General Information

Platform: Code4rena

Start Date: 08/06/2022

Pot Size: $115,000 USDC

Total HM: 26

Participants: 72

Period: 11 days

Judge: leastwood

Total Solo HM: 14

Id: 132

League: ETH

Connext

Findings Distribution

Researcher Performance

Rank: 55/72

Findings: 1

Award: $143.53

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryConnext

Findings Information

🌟 Selected for report: BowTiedWardens

Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Chom, ElKu, Funen, IllIllI, JMukesh, Jujic, Kaiziron, Lambda, MiloTruck, Ruhum, SmartSek, SooYa, TerrierLover, TomJ, WatchPug, Waze, _Adam, asutorufos, auditor0517, bardamu, c3phas, catchup, cccz, ch13fd357r0y3r, cloudjunky, cmichel, cryptphi, csanuragjain, defsec, fatherOfBlocks, hansfriese, hyh, jayjonah8, joestakey, k, kenta, obtarian, oyc_109, robee, sach1r0, shenwilly, simon135, slywaters, sorrynotsorry, tintin, unforgiven, xiaoming90, zzzitron

Awards

143.5334 USDC - $143.53

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

[QA-1] _router is not used in repayAavePortalFor function

repayAavePortalFor function says This allows anyone to repay the portal in the adopted asset for a given router and transfer but the argument _router is not used at all.

https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/facets/PortalFacet.sol#L115-L126

[QA-2] repayAavePortal function can set underflown value at s.routerBalances[msg.sender][_local]

Random people can call repayAavePortal function and set underflown value at s.routerBalances[msg.sender][_local].

This part decrements balance in the unchecked statement.

https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/facets/PortalFacet.sol#L107-L109

    unchecked {
      s.routerBalances[msg.sender][_local] -= amountIn;
    }

When adopted is local asset and AssetLogic.swapFromLocalAssetIfNeededForExactOut returns (true, _amount, _asset), it may reach to s.routerBalances[msg.sender][_local] -= amountIn.

https://github.com/code-423n4/2022-06-connext/blob/4dd6149748b635f95460d4c3924c7e3fb6716967/contracts/contracts/core/connext/libraries/AssetLogic.sol#L244-L247

As a result, when s.routerBalances[msg.sender][_local] is 0 or small value, it is possible that the underflow happens at s.routerBalances[msg.sender][_local] -= amountIn which results in having giant value at s.routerBalances[msg.sender][_local] which seems not ideal. Removing unchecked from this part can prevent such situations.

#0 - LayneHaber

2022-06-21T22:11:43Z

QA-1 -- valid.

QA-2 -- invalid -- there are other high severity issues that reference this (and this is a bit more than a QA issue since routers can then withdraw and effectively steal from the contract). See #68 #211

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter