Back to Watermelon's contests

veRWA - Watermelon's results

Incentivization Primitive for Real World Assets on Canto

General Information

Platform: Code4rena

Start Date: 07/08/2023

Pot Size: $36,500 USDC

Total HM: 11

Participants: 125

Period: 3 days

Judge: alcueca

Total Solo HM: 4

Id: 274

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 52/125

Findings: 2

Award: $25.65

QA:
grade-a

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: ADM

Also found by: 0xDING99YA, 3docSec, BenRai, Jorgect, Kow, MrPotatoMagic, QiuhaoLi, RandomUser, SpicyMeatball, Tendency, Topmark, Watermelon, Yanchuan, Yuki, bart1e, cducrest, kaden, lsaudit, nemveer, nonseodion

Awards

15.8333 USDC - $15.83

Labels

bug
3 (High Risk)
partial-50
upgraded by judge
duplicate-182

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-08-verwa/blob/498a3004d577c8c5d0c71bff99ea3a7907b5ec23/src/VotingEscrow.sol#L384

Vulnerability details

Description and Impact

In the delegate() function, if the delegatee's unlockTime surpasses that of the owner, the owner cannot perform an undelegation. As a result, the owner becomes unable to withdraw funds since the withdraw() function necessitates the owner's delegatee to be the owner themselves.

Proof of Concept

  1. Both Alice and Bob utilize the createLock() function to lock their tokens.
  2. Alice invokes the delegate(Bob) function, thereby delegating her tokens to Bob.
  3. Bob accesses the increaseAmount() function, extending the lock duration of his tokens.
  4. Alice attempts to use the delegate(msg.sender) function but encounters an inability to undelegate due to Bob's lock duration surpassing that of Alice's.

We recommend implementing a mechanism where the owner inherits the unlockTime of the delegatee if it happens to exceed the owner's own unlockTime.

Assessed type

Governance

#0 - c4-pre-sort

2023-08-13T06:44:23Z

141345 marked the issue as duplicate of #116

#1 - c4-pre-sort

2023-08-13T14:29:36Z

141345 marked the issue as not a duplicate

#2 - c4-pre-sort

2023-08-13T14:29:55Z

141345 marked the issue as duplicate of #116

#3 - c4-pre-sort

2023-08-13T14:35:08Z

141345 marked the issue as duplicate of #82

#4 - c4-judge

2023-08-24T07:20:31Z

alcueca changed the severity to 3 (High Risk)

#5 - c4-judge

2023-08-24T07:20:40Z

alcueca changed the severity to 2 (Med Risk)

#6 - c4-judge

2023-08-24T07:27:10Z

alcueca marked the issue as partial-50

#7 - c4-pre-sort

2023-08-24T08:21:46Z

141345 marked the issue as not a duplicate

#8 - c4-pre-sort

2023-08-24T08:24:15Z

141345 marked the issue as duplicate of #375

#9 - c4-judge

2023-08-24T21:11:41Z

alcueca marked the issue as partial-50

#10 - c4-judge

2023-08-29T06:37:08Z

alcueca marked the issue as duplicate of #182

#11 - c4-judge

2023-08-29T06:37:35Z

alcueca changed the severity to 3 (High Risk)

Findings Information

🌟 Selected for report: RED-LOTUS-REACH

Also found by: 0x3b, 0x4non, 0xCiphky, 0xDING99YA, 0xDetermination, 0xE1, 0xG0P1, 0xStalin, 0xWaitress, 0xbrett8571, 0xhacksmithh, 0xkazim, 0xmuxyz, 0xweb3boy, 14si2o_Flint, AlexCzm, Alhakista, Bube, Bughunter101, Deekshith99, Eeyore, Giorgio, HChang26, InAllHonesty, JP_Courses, KmanOfficial, MatricksDeCoder, Mike_Bello90, MrPotatoMagic, Naubit, QiuhaoLi, RHaO-sec, Raihan, Rolezn, SUPERMAN_I4G, Shubham, Silverskrrrt, Strausses, T1MOH, Topmark, Tripathi, Watermelon, _eperezok, aakansha, auditsea, audityourcontracts, ayden, carlos__alegre, castle_chain, cducrest, ch0bu, d23e, deadrxsezzz, deth, devival, erebus, fatherOfBlocks, halden, hassan-truscova, hpsb, hunter_w3b, imkapadia, immeas, jat, kaden, kaveyjoe, klau5, koxuan, kutugu, ladboy233, lanrebayode77, leasowillow, lsaudit, markus_ether, matrix_0wl, merlin, nemveer, ni8mare, nonseodion, oakcobalt, owadez, p_crypt0, pipidu83, piyushshukla, popular00, ppetrov, rjs, sandy, sl1, supervrijdag, tay054, thekmj, wahedtalash77, windhustler, zhaojie

Awards

9.8204 USDC - $9.82

Labels

bug
grade-a
QA (Quality Assurance)
Q-30

External Links

Link to GitHub issue

Title

Unsafe Integer Cast Causes Incorrect amount and delegated

Locations

Description

Type casting refers to changing a variable of one data type into another. The code contains an unsafe cast between integer types, which may result in unexpected truncation or sign flipping of the value. For example in the createLock() function, if the _value exceeds the maximum value of type(int128), which is 2**127 - 1, the accounting will become inaccurate. Consequently, the amount added to locked_.amount will be less than the actual token amount transferred from the user. As a result, the user won't be able to withdraw the tokens they transferred, leading to their tokens being trapped within the contract indefinitely.

Scenario

  1. Bob attempts to lock 2**128 tokens. He invokes createLock(2**128, unlockTime).
  2. However, this operation does not affect the locked.amount variable; it remains at 0. This is due to the fact that the casting int128(int256(2**128)) results in truncation to 0. Consequently, the locked amount remains unaffected despite the tokens being transferred.

Recommendation

It is recommended to check the bounds of integer values before casting. Alternatively, consider using the SafeCast library from OpenZeppelin to perform safe type casting and prevent undesired behavior.

Reference: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/cf86fd9962701396457e50ab0d6cc78aa29a5ebc/contracts/utils/math/SafeCast.sol

#0 - c4-judge

2023-08-22T13:52:14Z

alcueca marked the issue as grade-a

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter