Decent - Timepunk's results

Decent enables one-click transactions using any token across chains.

General Information

Platform: Code4rena

Start Date: 19/01/2024

Pot Size: $36,500 USDC

Total HM: 9

Participants: 113

Period: 3 days

Judge: 0xsomeone

Id: 322

League: ETH

Decent

Findings Distribution

Researcher Performance

Rank: 63/113

Findings: 1

Award: $21.72

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Decent

Findings Information

🌟 Selected for report: deth

Also found by: DadeKuma, MrPotatoMagic, NPCsCorp, Shaheen, Tendency, Timepunk, ZdravkoHr, bronze_pickaxe, cu5t0mpeo, gesha17, haxatron, kutugu, nmirchev8, ptsanev, wangxx2026, zaevlad

Awards

21.7151 USDC - $21.72

Labels

bug

2 (Med Risk)

insufficient quality report

partial-50

duplicate-262

External Links

Link to GitHub issue

Lines of code

https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentEthRouter.sol#L171

Vulnerability details

Impact

Medium

Proof of Concept:

When a call for a bridging action is made via UTB, in DecentETHRouter before bridging, DecentBridgeAdapter is set as the refund address. However, DecentBridgeAdapter has no method for extracting refunds which become stuck over time.

Tools Used:

Manual assessment

Recommended Mitigation Steps:

Add a protected function in DecentBridgeAdapter to extract refunds which may become stuck over timne.

Assessed type

ETH-Transfer

#0 - c4-pre-sort
2024-01-25T00:30:28Z

raymondfam marked the issue as duplicate of #27

#1 - c4-pre-sort
2024-01-25T00:30:32Z

raymondfam marked the issue as insufficient quality report

#2 - raymondfam
2024-01-25T00:31:35Z

Same root cause as in #27, albeit with insufficient proof.

#3 - c4-judge
2024-02-02T16:57:11Z

alex-ppg marked the issue as not a duplicate

#4 - c4-judge
2024-02-02T16:58:24Z

alex-ppg marked the issue as duplicate of #262

#5 - c4-judge
2024-02-02T17:01:58Z

alex-ppg marked the issue as partial-50

Decent - Timepunk's results

Decent enables one-click transactions using any token across chains.

General Information

Findings Distribution

Researcher Performance

External Links

[M-05] DecentBridgeAdapter has no ability of extracting refunds from failed bridging actions - $21.72

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept:

Tools Used:

Recommended Mitigation Steps:

Assessed type

#0 - c4-pre-sort2024-01-25T00:30:28Z

#1 - c4-pre-sort2024-01-25T00:30:32Z

#2 - raymondfam2024-01-25T00:31:35Z

#3 - c4-judge2024-02-02T16:57:11Z

#4 - c4-judge2024-02-02T16:58:24Z

#5 - c4-judge2024-02-02T17:01:58Z

#0 - c4-pre-sort
2024-01-25T00:30:28Z

#1 - c4-pre-sort
2024-01-25T00:30:32Z

#2 - raymondfam
2024-01-25T00:31:35Z

#3 - c4-judge
2024-02-02T16:57:11Z

#4 - c4-judge
2024-02-02T16:58:24Z

#5 - c4-judge
2024-02-02T17:01:58Z