Back to ak1's contests

Tigris Trade contest - ak1's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $90,500 USDC

Total HM: 35

Participants: 84

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 12

Id: 192

League: ETH

Tigris Trade

Findings Distribution

Researcher Performance

Rank: 68/84

Findings: 1

Award: $13.76

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTigris Trade

Findings Information

🌟 Selected for report: yjrwkk

Also found by: 0x4non, 0xDecorativePineapple, 0xdeadbeef0x, Avci, Critical, Deivitto, Dinesh11G, Englave, Tointer, ak1, chaduke, izhelyazkov, pwnforce, rbserver, rvierdiiev, unforgiven

Awards

13.7578 USDC - $13.76

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
duplicate-533

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/StableVault.sol#L44-L71

Vulnerability details

Impact

StableVault.sol : desposit , depositWithPermit and withdraw would revert.

TradingLibrary.sol : verifyPrice function would revert at line 115

Trading.sol : _handleDeposit function would revert at line 650, _handleWithdraw will fail at line 675.

Proof of Concept

From the listed pairs it is clear that the protocol is supporting the NEAR/USD - https://docs.tigris.trade/protocol/listed-pairs#:~:text=3-,NEAR/USD,-0.10%25

NEAR has decimal value of 24. https://etherscan.io/token/0x85f17cf997934a597031b2e18a9ab6ebd4b9f6a4

    function deposit(address _token, uint256 _amount) public {
    require(allowed[_token], "Token not listed");
    IERC20(_token).transferFrom(_msgSender(), address(this), _amount);
    IERC20Mintable(stable).mintFor(
        _msgSender(),
        _amount*(10**(18-IERC20Mintable(_token).decimals()))
    );
}


function depositWithPermit(address _token, uint256 _amount, uint256 _deadline, bool _permitMax, uint8 v, bytes32 r, bytes32 s) external {
    uint _toAllow = _amount;
    if (_permitMax) _toAllow = type(uint).max;
    ERC20Permit(_token).permit(_msgSender(), address(this), _toAllow, _deadline, v, r, s);
    deposit(_token, _amount);
}


/**
* @notice swap tigAsset to _token
* @param _token address of the token to receive
* @param _amount amount of _token
*/
function withdraw(address _token, uint256 _amount) external returns (uint256 _output) {
    IERC20Mintable(stable).burnFrom(_msgSender(), _amount);
    _output = _amount/10**(18-IERC20Mintable(_token).decimals());
    IERC20(_token).transfer(
        _msgSender(),
        _output
    );

StableVault.sol : both witdraw and deposit will revert due to the calculation at lines 49, 67

Tools Used

Manual review

Kindly consider changing the subtraction from large to min instead of (18 - token decimal)

#0 - c4-judge

2022-12-20T15:43:13Z

GalloDaSballo marked the issue as duplicate of #533

#1 - c4-judge

2023-01-22T17:44:35Z

GalloDaSballo marked the issue as satisfactory

#2 - c4-judge

2023-01-22T17:44:42Z

GalloDaSballo changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter