Back to ak1's contests

FEI and TRIBE Redemption contest - ak1's results

A new DeFi primitive that allows any token to become productive and provide FEI liquidity at no cost to the markets that need it most.

General Information

Platform: Code4rena

Start Date: 09/09/2022

Pot Size: $42,000 USDC

Total HM: 2

Participants: 101

Period: 3 days

Judge: hickuphh3

Total Solo HM: 2

Id: 161

League: ETH

Tribe

Findings Distribution

Researcher Performance

Rank: 66/101

Findings: 1

Award: $33.58

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTribe

Findings Information

🌟 Selected for report: GalloDaSballo

Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas

Awards

33.5762 USDC - $33.58

Labels

bug
QA (Quality Assurance)
sponsor disputed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/redeem/TribeRedeemer.sol#L29 https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/redeem/TribeRedeemer.sol#L71-L73

Vulnerability details

Impact

User input error (adding the same token again in an array of token), can cause the double spend issue..

Proof of Concept

https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/redeem/TribeRedeemer.sol#L29

constructor(
    address _redeemedToken,
    address[] memory _tokensReceived,
    uint256 _redeemBase
) {
    redeemedToken = _redeemedToken;
    tokensReceived = _tokensReceived;
    redeemBase = _redeemBase;
}

Here the double spend can happen. https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/redeem/TribeRedeemer.sol#L71-L73

function redeem(address to, uint256 amountIn) external nonReentrant {
    IERC20(redeemedToken).safeTransferFrom(msg.sender, address(this), amountIn);


    (address[] memory tokens, uint256[] memory amountsOut) = previewRedeem(amountIn);


    uint256 base = redeemBase;
    redeemBase = base - amountIn; // decrement the base for future redemptions
    for (uint256 i = 0; i < tokens.length; i++) {
        IERC20(tokens[i]).safeTransfer(to, amountsOut[i]);
    }


    emit Redeemed(msg.sender, to, amountIn, base);
}

Tools Used

Manual code review

during the contract deployment, add validation to ensure that same token is not added in the token array.

#0 - thomas-waite

2022-09-19T13:25:22Z

Config issue, not a vulnearability. Integration testing will rule out

#1 - HickupHH3

2022-09-28T04:50:48Z

constructor param check: dup of #184

warden's primary QA

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter