Back to Topmark's contests

Canto Liquidity Mining Protocol - Topmark's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 03/10/2023

Pot Size: $24,500 USDC

Total HM: 6

Participants: 62

Period: 3 days

Judge: LSDan

Total Solo HM: 3

Id: 288

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 53/62

Findings: 1

Award: $4.94

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: adriro

Also found by: 0x3b, 0xAadi, 0xDING99YA, 0xTheC0der, 0xWaitress, 0xdice91, 100su, 3docSec, BRONZEDISC, BoRonGod, Eurovickk, GKBG, HChang26, IceBear, JP_Courses, MatricksDeCoder, Mike_Bello90, SovaSlava, Topmark, albahaca, cookedcookee, gzeon, hunter_w3b, kutugu, lukejohn, marqymarq10, matrix_0wl, orion, pep7siup, radev_sw, sces60107, taner2344, tpiliposian, wahedtalash77, xAriextz, zpan

Awards

4.9369 USDC - $4.94

Labels

bug
grade-b
QA (Quality Assurance)
sufficient quality report
Q-22

External Links

Link to GitHub issue

Report 1:

tickTrackingIndexAccruedUpTo_ mapping used in L89, L135, L144 & L146 has no mapping description. Its mapping description should be added to L192 @ https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/mixins/StorageLayout.sol#L192

+++ //Pool -> Position -> Tick -> TrackingIndex 
    mapping(bytes32 => mapping(bytes32 => mapping(int32 => uint32))) tickTrackingIndexAccruedUpTo_;

Report 2:

timeWeightedWeeklyPositionConcLiquidityLastSet_[poolIdx][posKey] at L151 of LiquidityMining.sol contract can be updated to block.timestamp even if difference between lowerTick & UpperTick from L72-L73 of same contract is less than 20. A deep analysis of the accrueConcentratedPositionTimeWeightedLiquidity(...) function and it use case at 163 shows that the whole function setup is not relevant if " UpperTick - lowerTick is less than 20 " due to the subtraction operations in the loop at L88, L139 & L184. Therefore a validation check is necessary if "UpperTick - lowerTick is less than 20" instead of just giving room for timeWeightedWeeklyPositionConcLiquidityLastSet_[poolIdx][posKey] update when it is not https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/mixins/LiquidityMining.sol#L151

 function accrueConcentratedPositionTimeWeightedLiquidity(
        address payable owner,
        bytes32 poolIdx,
        int24 lowerTick,
        int24 upperTick
    ) internal {
+++ require ( UpperTick - lowerTick < 20, "InvalidTickRange" )
...

#0 - c4-pre-sort

2023-10-09T17:22:19Z

141345 marked the issue as sufficient quality report

#1 - c4-judge

2023-10-18T22:33:40Z

dmvt marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter