Back to auditsea's contests

Arcade.xyz - auditsea's results

The first of its kind Web3 platform to enable liquid lending markets for NFTs.

General Information

Platform: Code4rena

Start Date: 21/07/2023

Pot Size: $90,500 USDC

Total HM: 8

Participants: 60

Period: 7 days

Judge: 0xean

Total Solo HM: 2

Id: 264

League: ETH

Arcade.xyz

Findings Distribution

Researcher Performance

Rank: 28/60

Findings: 1

Award: $471.90

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryArcade.xyz

Findings Information

🌟 Selected for report: Juntao

Also found by: Jiamin, Juntao, UniversalCrypto, auditsea, circlelooper, crunch, lanrebayode77, vangrim, zaevlad

Labels

bug
2 (Med Risk)
satisfactory
duplicate-58

Awards

471.8972 USDC - $471.90

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-arcade/blob/f8ac4e7c4fdea559b73d9dd5606f618d4e6c73cd/contracts/ArcadeTreasury.sol#L384-L394

Vulnerability details

Impact

A block might be blocked by expenditure limit without spending any tokens, or spend less tokens than the given limit.

Proof of Concept

In ArcadeTreasury::_approve() function, blockExpenditure of the current block will get increased when this function is called.

    function _approve(address token, address spender, uint256 amount, uint256 limit) internal {
        // check that after processing this we will not have spent more than the block limit
        uint256 spentThisBlock = blockExpenditure[block.number];
        if (amount + spentThisBlock > limit) revert T_BlockSpendLimit();
        blockExpenditure[block.number] = amount + spentThisBlock; // --> Here blockExpenditure gets increased without spending any token

        // approve tokens
        IERC20(token).approve(spender, amount);

        emit TreasuryApproval(token, spender, amount);
    }

This means, by calling only approval multiple times, the block won't be able to spend tokens, because it will be blocked by limit criteria in _spend() function.

    function _spend(address token, uint256 amount, address destination, uint256 limit) internal {
        // check that after processing this we will not have spent more than the block limit
        uint256 spentThisBlock = blockExpenditure[block.number];
        if (amount + spentThisBlock > limit) revert T_BlockSpendLimit(); // --> This line blocks spending.
        blockExpenditure[block.number] = amount + spentThisBlock;

        // transfer tokens
        if (address(token) == ETH_CONSTANT) {
            // will out-of-gas revert if recipient is a contract with logic inside receive()
            payable(destination).transfer(amount);
        } else {
            IERC20(token).safeTransfer(destination, amount);
        }

        emit TreasuryTransfer(token, destination, amount);
    }

Tools Used

Manual Review

Remove the line below from _approve() function

    blockExpenditure[block.number] = amount + spentThisBlock;

Assessed type

ERC20

#0 - c4-pre-sort

2023-07-30T06:57:27Z

141345 marked the issue as duplicate of #263

#1 - c4-pre-sort

2023-08-01T07:53:49Z

141345 marked the issue as not a duplicate

#2 - c4-pre-sort

2023-08-01T07:53:56Z

141345 marked the issue as duplicate of #58

#3 - c4-judge

2023-08-11T01:40:45Z

0xean marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter