Back to TiesStevelink's contests

Tapioca DAO - TiesStevelink's results

The first ever Omnichain money market, powered by LayerZero.

General Information

Platform: Code4rena

Start Date: 05/07/2023

Pot Size: $390,000 USDC

Total HM: 136

Participants: 132

Period: about 1 month

Judge: LSDan

Total Solo HM: 56

Id: 261

League: ETH

Tapioca DAO

Findings Distribution

Researcher Performance

Rank: 125/132

Findings: 1

Award: $20.42

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTapioca DAO

Findings Information

🌟 Selected for report: Ack

Also found by: 0xG0P1, 0xRobocop, 0xStalin, KIntern_NA, Koolex, Oxsadeeq, RedOneN, TiesStevelink, ayeslick, bin2chen, cergyk, kaden, ladboy233, ltyu, plainshift, rvierdiiev, xuwinnie, zzzitron

Awards

20.4247 USDC - $20.42

Labels

bug
3 (High Risk)
satisfactory
duplicate-1567

External Links

Link to GitHub issue

Lines of code

https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/singularity/SGLCollateral.sol#L27 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/singularity/SGLLendingCommon.sol#L23-L25 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/MarketERC20.sol#L84

Vulnerability details

Impact

Users can add any amounts of collateral without the allowing borrow permission by calling addCollateral() function with share of 0.

Proof of Concept

Let's call addCollateral() function with share of 0 in SGLCollateral.sol.

uint256 amount = 1e18 * 10000000000 // as much as possible
sglcollateral.addCollateral(from, to, false, amount, 0);

And then it will be passed allowedBorrow(from, 0) modifier, because share is 0 in addCollateral() function.

    function addCollateral(
        address from,
        address to,
        bool skim,
        uint256 amount,
        uint256 share
    ) public notPaused allowedBorrow(from, share) {
        _addCollateral(from, to, skim, amount, share);
    }

    function _addCollateral(
        address from,
        address to,
        bool skim,
        uint256 amount,
        uint256 share
    ) internal {
        if (share == 0) {
            share = yieldBox.toShare(collateralId, amount, false);
        }
        userCollateralShare[to] += share;
        ...
    }

As we can see _addCollateral() function, if share is 0, share will be calculated based on amount. And then recalculated share will be added to user's collateral.

Tools Used

Manual

Need to add _allowedBorrow(from, share) in _addCollateral() function like the following code.

    function _addCollateral(
        address from,
        address to,
        bool skim,
        uint256 amount,
        uint256 share
    ) internal {
        if (share == 0) {
            share = yieldBox.toShare(collateralId, amount, false);
            _allowedBorrow(from, share);
        }
        userCollateralShare[to] += share;
        ...
    }

Assessed type

Context

#0 - c4-pre-sort

2023-08-05T02:53:14Z

minhquanym marked the issue as duplicate of #55

#1 - c4-judge

2023-09-12T17:33:45Z

dmvt marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter