Tapioca DAO - ak1's results

The first ever Omnichain money market, powered by LayerZero.

General Information

Platform: Code4rena

Start Date: 05/07/2023

Pot Size: $390,000 USDC

Total HM: 136

Participants: 132

Period: about 1 month

Judge: LSDan

Total Solo HM: 56

Id: 261

League: ETH

Tapioca DAO

Findings Distribution

Researcher Performance

Rank: 80/132

Findings: 2

Award: $117.50

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Tapioca DAO

Findings Information

🌟 Selected for report: peakbolt

Also found by: ak1, bin2chen, glcanvas, rvierdiiev, unsafesol

Labels

bug

2 (Med Risk)

satisfactory

duplicate-1175

Awards

76.3356 USDC - $76.34

External Links

Link to GitHub issue

Lines of code

https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/option-airdrop/AirdropBroker.sol#L459

Vulnerability details

Impact

Incorrect eligibleAmount is minted to the user.

Proof of Concept

An eligible user can call the _participatePhase3 function and mint the aToken to them.

function _participatePhase3(
    bytes calldata _data
) internal returns (uint256 oTAPTokenID) {
    uint256 _tokenID = abi.decode(_data, (uint256));


    require(PCNFT.ownerOf(_tokenID) == msg.sender, "adb: Not eligible");
    address tokenIDToAddress = address(uint160(_tokenID));
    require(
        userParticipation[tokenIDToAddress][3] == false,
        "adb: Already participated"
    );
    // Close eligibility
    // To avoid a potential attack vector, we cast token ID to an address instead of using _to,
    // no conflict possible, tokenID goes from 0 ... 714.
    userParticipation[tokenIDToAddress][3] = true;


    uint128 expiry = uint128(lastEpochUpdate + EPOCH_DURATION); // Set expiry to the end of the epoch
    uint256 eligibleAmount = PHASE_3_AMOUNT_PER_USER; -------------->>>> audit find. should be multiplied by 1e18
    uint128 discount = uint128(PHASE_3_DISCOUNT);
    oTAPTokenID = aoTAP.mint(msg.sender, expiry, discount, eligibleAmount);
}

As shown above, the eligibleAmount is incorrectly set.

Note aoTAP has decimal value of 1e18.

Tools Used

Recommended Mitigation Steps

Update the Line as shown below

uint256 eligibleAmount = PHASE_3_AMOUNT_PER_USER * 1e18;

Assessed type

Decimal

#0 - c4-pre-sort
2023-08-05T15:10:35Z

minhquanym marked the issue as duplicate of #173

#1 - c4-judge
2023-09-18T13:29:17Z

dmvt marked the issue as satisfactory

Tapioca DAO - ak1's results

The first ever Omnichain money market, powered by LayerZero.

General Information

Findings Distribution

Researcher Performance

External Links

[M-38] AirdropBroker.sol#L442 :` _participatePhase3` - `PHASE_3_AMOUNT_PER_USER` should be multiplied by 1e18 - $76.34

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-08-05T15:10:35Z

#1 - c4-judge2023-09-18T13:29:17Z

#0 - c4-pre-sort
2023-08-05T15:10:35Z

#1 - c4-judge
2023-09-18T13:29:17Z