Back to Topmark's contests

Tapioca DAO - Topmark's results

The first ever Omnichain money market, powered by LayerZero.

General Information

Platform: Code4rena

Start Date: 05/07/2023

Pot Size: $390,000 USDC

Total HM: 136

Participants: 132

Period: about 1 month

Judge: LSDan

Total Solo HM: 56

Id: 261

League: ETH

Tapioca DAO

Findings Distribution

Researcher Performance

Rank: 123/132

Findings: 1

Award: $30.05

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTapioca DAO

Findings Information

🌟 Selected for report: Madalad

Also found by: 0xStalin, 0xTheC0der, 0xfuje, Topmark, Vagner, cryptonue, gizzy, peakbolt, rvierdiiev

Labels

bug
2 (Med Risk)
satisfactory
duplicate-1504

Awards

30.0503 USDC - $30.05

External Links

Link to GitHub issue

Lines of code

https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/main/contracts/Magnetar/MagnetarV2.sol#L237 https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/main/contracts/Magnetar/MagnetarV2.sol#L215

Vulnerability details

Impact

DOS possibility due to valAccumulator calculation Mistake from repetition of "valAccumulator += _action.value;" at L215 & L237 of MagnetarV2.sol contract which would affect the validity check at L714 "require(msg.value == valAccumulator,..." of MagnetarV2.sol contract

Proof of Concept

The burst(...) function is a long function in the MagnetarV2.sol contract, spanning L194 all the way to L715 which is majorly due to a long loop from L202-L712. For each round of the loop, a cumulative sum of _action.value is calculated at L214-L216. https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/main/contracts/Magnetar/MagnetarV2.sol#L214-L216

202.     for (uint256 i = 0; i < length; i++) {
...
214.     unchecked {
215.        valAccumulator += _action.value;
216.      }

An error occurs if the condition at L232 is met at any point in the loop, where a repetition of the valAccumulator calculation can be spotted

232.            } else if (_action.id == TOFT_WRAP) {
233.                WrapData memory data = abi.decode(_action.call[4:], (WrapData));
234.                _checkSender(data.from);
235.                if (_action.value > 0) {
236.                    unchecked {
237.                        valAccumulator += _action.value;
238.                    }

This will affect the overall value of valAccumulator which will in extension affect the validity of the requirement at L714

714.   require(msg.value == valAccumulator, "MagnetarV2: value mismatch");

Thereby causing a Denial of Service due to non functionality of burst() function

Tools Used

Solidity, Manual Review

The code at L236-238 is not needed since it would only be a repetition of L214-L216

236.     -  unchecked {
237.     -  valAccumulator += _action.value;
238.     -  }

Assessed type

DoS

#0 - c4-pre-sort

2023-08-06T02:26:03Z

minhquanym marked the issue as duplicate of #207

#1 - c4-judge

2023-09-21T13:06:04Z

dmvt marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter