Back to ast3ros's contests

Ethereum Credit Guild - ast3ros's results

A trust minimized pooled lending protocol.

General Information

Platform: Code4rena

Start Date: 11/12/2023

Pot Size: $90,500 USDC

Total HM: 29

Participants: 127

Period: 17 days

Judge: TrungOre

Total Solo HM: 4

Id: 310

League: ETH

Ethereum Credit Guild

Findings Distribution

Researcher Performance

Rank: 96/127

Findings: 1

Award: $35.78

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryEthereum Credit Guild

Findings Information

🌟 Selected for report: evmboi32

Also found by: 0xnev, 0xpiken, 3docSec, EV_om, Infect3d, Jorgect, PENGUN, SECURITISE, Soul22, ast3ros, btk, ether_sky, grearlake, mahdikarimi, peter, whitehat-boys

Awards

35.7813 USDC - $35.78

Labels

bug
2 (Med Risk)
satisfactory
sufficient quality report
duplicate-966

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/e3d3e581e0e51a9ecf3a5a0c4e4bd4af32552fc0/src/tokens/ERC20RebaseDistributor.sol#L362-L364

Vulnerability details

Impact

Malicious actors can exploit the distribute function in the CreditToken contract to indefinitely delay the complete distribution of credit rewards to users participating in rebasing.

Proof of Concept

In the current implementation of the CreditToken contract, the distribute function is publicly accessible, allowing any user to trigger the distribution of tokens to rebasing accounts. The distribution's end timestamp is set to block.timestamp + DISTRIBUTION_PERIOD, with DISTRIBUTION_PERIOD being 30 days.

    if (_rebasingSupply != 0) {
        // update rebasingSharePrice interpolation
        uint256 endTimestamp = block.timestamp + DISTRIBUTION_PERIOD;

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/e3d3e581e0e51a9ecf3a5a0c4e4bd4af32552fc0/src/tokens/ERC20RebaseDistributor.sol#L362-L364

A malicious user can repeatedly call the distribute function with a minimal amount (e.g., 1 wei). Each call extends the distribution period by an additional 30 days. By doing this continually, the malicious user can effectively prolong the distribution indefinitely. This action not only delays the reward distribution but also gradually decreases the rate of distribution, adversely affecting users who have entered rebasing.

For example, a scenario where the total reward pool is 300e18 tokens, intended to be distributed evenly over 30 days, which amounts to 10e18 tokens per day. At day 15th, there should be another 15 days left to distribute the remaining 150e18 tokens at the rate of 10e18 tokens per day. The malicious user call distribute with 1 wei, the total rewards is 150e18 + 1 wei and resets the distribution period to another 30 days. It means that the rate is now 5e18 per day. As we can see the rate is reduce significant (50%).

Tools Used

Manual

Restrict the access to the distribute function by allowing only specific roles or authorized accounts to execute this function.

Assessed type

DoS

#0 - c4-pre-sort

2024-01-03T21:02:02Z

0xSorryNotSorry marked the issue as sufficient quality report

#1 - c4-pre-sort

2024-01-03T21:02:27Z

0xSorryNotSorry marked the issue as duplicate of #1100

#2 - c4-judge

2024-01-29T22:05:05Z

Trumpero marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter