Back to UniversalCrypto's contests

Tigris Trade contest - UniversalCrypto's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $90,500 USDC

Total HM: 35

Participants: 84

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 12

Id: 192

League: ETH

Tigris Trade

Findings Distribution

Researcher Performance

Rank: 33/84

Findings: 1

Award: $340.79

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTigris Trade

Findings Information

🌟 Selected for report: rvierdiiev

Also found by: UniversalCrypto, __141345__

Labels

bug
2 (Med Risk)
satisfactory
sponsor acknowledged
duplicate-124

Awards

340.7853 USDC - $340.79

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Trading.sol#L163

Vulnerability details

Impact

EIP-2612 allows a signer to create a signature which specifies any address as spender, which should allow the spender to use the signature created to validate transactions. However, in Trading.sol this spender cannot use initiateMarketOrder preventing them from opening positions on behalf of the signer.

Proof of Concept

Originally in 07.Trading.js test file, a signature is created like this which passes:

permitSig = await signERC2612Permit(owner, MockDAI.address, owner.address, Trading.address, ethers.constants.MaxUint256);

For this POC we will assume the owner wants to approve user as a spender:

permitSig = await signERC2612Permit(owner, MockDAI.address, user.address, Trading.address, ethers.constants.MaxUint256);

This should allow user to open positions using tokens from owner.

On Line 185: https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/test/07.Trading.js#L185

The owner opens a trade using owner.address as the trader.

In this example the spender should be able to open a trade using the signature created by the owner, however, in all cases, this will revert.

await trading.connect(user).initiateMarketOrder(TradeInfo, PriceData, sig, PermitData, owner.address);

await trading.connect(user).initiateMarketOrder(TradeInfo, PriceData, sig, PermitData, user.address);

await trading.connect(owner).initiateMarketOrder(TradeInfo, PriceData, sig, PermitData, user.address);

Tools Used

Manual Audit

Specify whether signatures with a different signer to spender will not be validated.

#0 - c4-judge

2022-12-22T02:08:34Z

GalloDaSballo marked the issue as primary issue

#1 - GalloDaSballo

2022-12-22T02:08:39Z

Somewhat coded POC -> Primary

#2 - c4-sponsor

2023-01-09T16:07:10Z

TriHaz marked the issue as sponsor acknowledged

#3 - GalloDaSballo

2023-01-17T10:22:03Z

Removing primary as POC here is shaky (I think it's just not approved proxy)

#4 - c4-judge

2023-01-17T10:23:12Z

GalloDaSballo marked the issue as duplicate of #124

#5 - c4-judge

2023-01-22T17:50:52Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter