Back to UdarTeam's contests

prePO contest - UdarTeam's results

Decentralized Exchange for Pre-IPO Stocks & Pre-IDO Tokens.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $36,500 USDC

Total HM: 9

Participants: 69

Period: 3 days

Judge: Picodes

Total Solo HM: 2

Id: 190

League: ETH

prePO

Findings Distribution

Researcher Performance

Rank: 14/69

Findings: 3

Award: $583.62

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryprePO

Findings Information

🌟 Selected for report: zaskoh

Also found by: 0xTraub, UdarTeam, ak1

Labels

bug
2 (Med Risk)
satisfactory
sponsor acknowledged
duplicate-93

Awards

530.4488 USDC - $530.45

External Links

Link to GitHub issue

Lines of code

https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/PrePOMarket.sol#L65-L74

Vulnerability details

Impact

createMarket function in PrePOMarketFactory.sol contract creates a new PrePOMarket contract. Salt is used for creating the contract which is computed from _createPairTokens function. Variables passed to this function are visible from anyone (they are input parameter for the createMarket function). After the PrePOMarket contract is created, only the team should mint Long and Short Tokens (Reference). This check is done with hook function from MintHook.sol contract. When the contract is created, _mintHook variable points to zero address, which means that the check here will not execute. Since all transactions are visible in the mempool for a short while before being executed, there could be an observer which can see the PrePOMarket contract creation, compute the contract's address and call mint function before the team has set the mintHook's address. This can break the team's market economy or other things which depend on Long/Short Tokens.

Proof of Concept

Tools Used

Manual

One way is to set the mintHook variable in PrePOMarket.sol constructor when creating the contract in createMarket function. The other way is to use some type of enhanced commit and reveal schemes.

#0 - c4-judge

2022-12-17T18:18:13Z

Picodes marked the issue as primary issue

#1 - c4-sponsor

2022-12-19T22:51:40Z

ramenforbreakfast marked the issue as sponsor acknowledged

#2 - ramenforbreakfast

2022-12-19T22:52:30Z

We acknowledge this issue, but are not going to address it since we do not plan on addressing the situation of being frontrun during market deployment via changing our SC architecture, since funds would not be impacted. We will try to mitigate this risk through our deployment process.

#3 - c4-judge

2023-01-07T11:35:36Z

Picodes marked the issue as satisfactory

#4 - C4-Staff

2023-01-17T19:11:48Z

captainmangoC4 marked issue 93 as selected for report. Updating associated duplicate and primary issues.

Findings Information

🌟 Selected for report: 0xSmartContract

Also found by: 0Kage, 0x52, 0xAgro, 0xNazgul, 0xTraub, 0xhacksmithh, Awesome, Aymen0909, Bnke0x0, Englave, Janio, Mukund, Parth, RaymondFam, Rolezn, SmartSek, Tointer, UdarTeam, Udsen, Zarf, caventa, chaduke, csanuragjain, deliriusz, gz627, idkwhatimdoing, izhelyazkov, joestakey, neumo, obront, oyc_109, rvierdiiev, shark, trustindistrust, wait, yongskiws

Awards

28.124 USDC - $28.12

Labels

bug
grade-b
QA (Quality Assurance)
edited-by-warden
Q-05

External Links

Link to GitHub issue

[N-01] LARGE MULTIPLES OF TEN SHOULD USE SCIENTIFIC NOTATION

Use (e.g. 1e6) rather than decimal literals (e.g. 1000000), for better code readability

apps/smart-contracts/core/contracts/Collateral.sol: 19 apps/smart-contracts/core/contracts/ManagerWithdrawHook.sol: 12

[N-02] USE SCIENTIFIC NOTATION (E.G. 1E18) RATHER THAN EXPONENTIATION (E.G. 10**18)

Scientific notation should be used for better code readability

apps/smart-contracts/core/contracts/Collateral.sol: 31 apps/smart-contracts/core/contracts/TokenSender.sol: 33

[N-03] MISLEADING COMMENT BLOCK

On lines L8-L9 it says that Users can mint/redeem long/short positions on a specific asset in exchange for Collateral tokens.. On lines L73-L74 there is a comment about the mint which says Minting will only be done by the team, and thus relies on the `_mintHook` to enforce access controls.

#0 - c4-judge

2022-12-19T14:32:48Z

Picodes marked the issue as grade-b

Findings Information

🌟 Selected for report: ReyAdmirado

Also found by: 0xSmartContract, 0xTraub, Aymen0909, Englave, Mukund, RHaO-sec, RaymondFam, Rolezn, Sathish9098, Tomio, UdarTeam, chaduke, dharma09, gz627, martin, nadin, pavankv, rjs, saneryee

Awards

25.0472 USDC - $25.05

Labels

bug
G (Gas Optimization)
grade-b
G-03

External Links

Link to GitHub issue

[G-01] X = X + Y IS MORE EFFICIENT, THAN X += Y (6 INSTANCES)

packages/prepo-shared-contracts/contracts/NFTScoreRequirement.sol: 60 apps/smart-contracts/core/contracts/DepositRecord.sol: 31, 32, 36 apps/smart-contracts/core/contracts/WithdrawHook.sol: 64, 71

[G-02] UNNECESSARY STORAGE READ ON EVENT EMITTING (1 INSTANCE)

apps/smart-contracts/core/contracts/DepositRecord.sol: 42

   function setGlobalNetDepositCap(uint256 _newGlobalNetDepositCap) external override onlyRole(SET_GLOBAL_NET_DEPOSIT_CAP_ROLE) {
     globalNetDepositCap = _newGlobalNetDepositCap;
-    emit GlobalNetDepositCapChange(globalNetDepositCap);
+    emit GlobalNetDepositCapChange(_newGlobalNetDepositCap);
   }

#0 - c4-judge

2022-12-19T13:23:11Z

Picodes marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter