Back to Topmark's contests

Basin - Topmark's results

A composable EVM-native decentralized exchange protocol.

General Information

Platform: Code4rena

Start Date: 03/07/2023

Pot Size: $40,000 USDC

Total HM: 14

Participants: 74

Period: 7 days

Judge: alcueca

Total Solo HM: 9

Id: 259

League: ETH

Basin

Findings Distribution

Researcher Performance

Rank: 48/74

Findings: 1

Award: $17.52

QA:
grade-a

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBasin

Findings Information

🌟 Selected for report: 0xprinc

Also found by: 0x11singh99, 0xAnah, 0xWaitress, 0xkazim, 2997ms, 33audits, 404Notfound, 8olidity, CRIMSON-RAT-REACH, CyberPunks, DanielWang888, Deekshith99, Eeyore, Eurovickk, Inspecktor, JGcarv, John, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Qeew, QiuhaoLi, Rolezn, TheSavageTeddy, Topmark, Trust, Udsen, a3yip6, alexzoid, bigtone, codegpt, erebus, fatherOfBlocks, ginlee, glcanvas, hunter_w3b, josephdara, kaveyjoe, kutugu, mahdirostami, max10afternoon, oakcobalt, peanuts, pfapostol, ptsanev, qpzm, radev_sw, ravikiranweb3, sces60107, seth_lawson, te_aut, twcctop, zhaojie, ziyou-

Awards

17.5208 USDC - $17.52

Labels

bug
downgraded by judge
grade-a
low quality report
QA (Quality Assurance)
Q-28

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-basin/blob/main/src/Well.sol#L790

Vulnerability details

Impact

Based on the modifier in line 789-794, src/Well.sol, line 790 uses "block.timestamp" as the condition to determine expiration of several delicate function implementations such as swapFrom(...),swapTo(...),addLiquidity(...) etc, there is possibility of risk due to Block manipulation by specific miner or group of miners to get favorable advantages like contract time manipulation and Frontrunning by manipulating time implementation.

Proof of Concept

https://github.com/sigp/solidity-security-blog, point 12 of this report proves this concept

Tools Used

solidity, smart contract

Though Block timestamp and Block number have their respective pros and cons, enforcing expiry time is one way but using Block Number based on the Basin code setup in certain functions if not all would give the best result as they are less likely manipulated.

Assessed type

Access Control

#0 - c4-pre-sort

2023-07-11T15:52:02Z

141345 marked the issue as low quality report

#1 - 141345

2023-07-13T06:46:39Z

lack details on the impact and potential loss

maybe QA is more appropriate

#2 - c4-judge

2023-08-04T05:44:30Z

alcueca changed the severity to QA (Quality Assurance)

#3 - c4-judge

2023-08-04T21:30:37Z

alcueca marked the issue as grade-a

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter