Back to agadzhalov's contests

Althea Liquid Infrastructure - agadzhalov's results

Liquid Infrastructure.

General Information

Platform: Code4rena

Start Date: 13/02/2024

Pot Size: $24,500 USDC

Total HM: 5

Participants: 84

Period: 6 days

Judge: 0xA5DF

Id: 331

League: ETH

Althea

Findings Distribution

Researcher Performance

Rank: 57/84

Findings: 1

Award: $25.73

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAlthea

Findings Information

🌟 Selected for report: nuthan2x

Also found by: 0x0bserver, AM, CaeraDenoir, DanielArmstrong, JrNet, Kirkeelee, KmanOfficial, Krace, Limbooo, Meera, SovaSlava, SpicyMeatball, TheSavageTeddy, agadzhalov, aslanbek, atoko, csanuragjain, d3e4, imare, jesjupyter, juancito, kartik_giri_47538, kutugu, max10afternoon, offside0011, pkqs90, turvy_fuzz, xchen1130, zhaojohnson, ziyou-

Awards

25.7286 USDC - $25.73

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
duplicate-87

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/main/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L441

Vulnerability details

[M-3] Missing require for setDistributableERC20s during active distribution period can cause distribution of wrong reward tokens

Summary

Owner of protocol may overwrite distributableERC20s during an active distribution period which will lead to distribution of wrong/less valuable tokens.

PoC

  1. Let's assume we have distributableERC20s = ["USDT", "USDC", "DAI"]
  2. User executes distribute(1) and distribution period has started
  3. Owner executes setDistributableERC20s intentionally or not and overwrites the distributableERC20s to ["DummyErc20One", "DummyErc20Two", "DummyErc20Three"]
  4. In the case when the protocol has enough balance of the overwritten tokens when distribute or distributeToAllHolders is executed again wrong reward tokens will be distributed (L220-L224) https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/main/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L220
  5. In the case when the protocol has no amount of the overwritten tokens no rewards token will be distributed at all.

Owner could overwrite distributableERC20s and scam innocent holders.

Impact

Execution of setDistributableERC20s from owner's side during an active distribution period may harm the innocent user to receive wrong/less valuable/undesirable reward tokens.

Add require(_isPastMinDistributionPeriod() in setDistributableERC20s before overwriting distributableERC20s https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/main/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L443

Assessed type

Invalid Validation

#0 - c4-pre-sort

2024-02-20T04:20:50Z

0xRobocop marked the issue as duplicate of #151

#1 - c4-pre-sort

2024-02-20T04:38:35Z

0xRobocop marked the issue as duplicate of #260

#2 - c4-judge

2024-03-04T15:18:54Z

0xA5DF marked the issue as satisfactory

#3 - c4-judge

2024-03-08T15:12:32Z

0xA5DF changed the severity to 3 (High Risk)

#4 - c4-judge

2024-03-08T15:26:19Z

0xA5DF changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter