Back to ak1's contests

Canto Dex Oracle contest - ak1's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 07/09/2022

Pot Size: $20,000 CANTO

Total HM: 7

Participants: 65

Period: 1 day

Judge: 0xean

Total Solo HM: 3

Id: 159

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 42/65

Findings: 1

Award: $39.22

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: lukris02

Also found by: 0x040, 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xSky, Bnke0x0, Bronicle, CertoraInc, Chom, CodingNameKiki, Deivitto, Diraco, Dravee, EthLedger, IgnacioB, JC, JansenC, Jeiwan, R2, RaymondFam, ReyAdmirado, Rolezn, SinceJuly, TomJ, Tomo, Yiko, a12jmx, ajtra, ak1, codexploder, cryptphi, csanuragjain, erictee, fatherOfBlocks, gogo, hake, hansfriese, hickuphh3, ignacio, ontofractal, oyc_109, p_crypt0, pashov, peritoflores, rajatbeladiya, rbserver, rokinot, rvierdiiev, tnevler

Awards

242.8216 CANTO - $39.22

Labels

bug
disagree with severity
QA (Quality Assurance)
sponsor confirmed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-core.sol#L260-L269

Vulnerability details

Impact

BaseV1-core.sol#L260 totalSupplyAvg may not provide the average value when granularity is lesser than or greater(too away from median value) than the total number of _totalSupplyAvg

Proof of Concept

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-core.sol#L260-L269

function totalSupplyAvg(uint granularity) external view returns(uint) {
    uint[] memory _totalSupplyAvg = sampleSupply(granularity, 1);
    uint totalSupplyCumulativeAvg;


    for (uint i = 0; i < _totalSupplyAvg.length; ++i) {
        totalSupplyCumulativeAvg += _totalSupplyAvg[i]; //totalSupply denominated in terms of 1e18 
    }


    return (totalSupplyCumulativeAvg / granularity);
}

In above code the average is computed based on granularity but thie granularity can be a value which is too far away from the median value. say, it could be too away from _totalSupplyAvg.length

Tools Used

VS code and Manual code review

It is suggested to calculate the average value based on _totalSupplyAvg.length totalSupplyCumulativeAvg / _totalSupplyAvg.length

#0 - auditor0517

2022-09-11T18:29:15Z

I think _totalSupplyAvg.length is same as granularity after sampleSupply() function.

#1 - nivasan1

2022-09-12T16:32:36Z

Although this issue may indeed exist, it does not affect availability / function of the protocol, as there will be very few cases in which a pair will not be able to return a price. Furthermore, in these cases, it is desired behavior that the price is not available (first 8 observations have not been made).

#2 - 0xean

2022-10-13T13:47:45Z

warden doesn't effectively demonstrate impact to rest of protocol, will downgrade to QA

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter