Back to aviggiano's contests

prePO contest - aviggiano's results

Decentralized Exchange for Pre-IPO Stocks & Pre-IDO Tokens.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $36,500 USDC

Total HM: 9

Participants: 69

Period: 3 days

Judge: Picodes

Total Solo HM: 2

Id: 190

League: ETH

prePO

Findings Distribution

Researcher Performance

Rank: 34/69

Findings: 1

Award: $210.78

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryprePO

Findings Information

🌟 Selected for report: Trust

Also found by: 0Kage, Parth, aviggiano, ayeslick, bin2chen, cccz, chaduke, fs0c, hansfriese, imare, mert_eren, rvierdiiev

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
edited-by-warden
duplicate-310

Awards

210.7761 USDC - $210.78

External Links

Link to GitHub issue

Lines of code

https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/WithdrawHook.sol#L66-L69 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/WithdrawHook.sol#L59-L62

Vulnerability details

Impact

Withdraw hook period limits (userWithdrawLimitPerPeriod and globalWithdrawLimitPerPeriod) are not enforced when the period is reset. Because of this, users can withdraw more than the period limits.

Proof of Concept

  1. Alice deposits the base token on the Collateral contract
  2. Alice waits some time, until the check lastUserPeriodReset + userPeriodLength < block.timestamp passes
  3. Alice withdraws the full amount of the base token from the Collateral

Tools Used

Manual inspection

Check for period limits on period reset

diff --git a/apps/smart-contracts/core/contracts/WithdrawHook.sol b/apps/smart-contracts/core/contracts/WithdrawHook.sol
index 546b2b5..b693f2b 100644
--- a/apps/smart-contracts/core/contracts/WithdrawHook.sol
+++ b/apps/smart-contracts/core/contracts/WithdrawHook.sol
@@ -58,6 +58,7 @@ contract WithdrawHook is IWithdrawHook, TokenSenderCaller, SafeAccessControlEnum
     require(withdrawalsAllowed, "withdrawals not allowed");
     if (lastGlobalPeriodReset + globalPeriodLength < block.timestamp) {
       lastGlobalPeriodReset = block.timestamp;
+      require(_amountBeforeFee <= globalWithdrawLimitPerPeriod, "global withdraw limit exceeded");
       globalAmountWithdrawnThisPeriod = _amountBeforeFee;
     } else {
       require(globalAmountWithdrawnThisPeriod + _amountBeforeFee <= globalWithdrawLimitPerPeriod, "global withdraw limit exceeded");
@@ -65,6 +66,7 @@ contract WithdrawHook is IWithdrawHook, TokenSenderCaller, SafeAccessControlEnum
     }
     if (lastUserPeriodReset + userPeriodLength < block.timestamp) {
       lastUserPeriodReset = block.timestamp;
+      require(_amountBeforeFee <= userWithdrawLimitPerPeriod, "user withdraw limit exceeded");
       userToAmountWithdrawnThisPeriod[_sender] = _amountBeforeFee;
     } else {
       require(userToAmountWithdrawnThisPeriod[_sender] + _amountBeforeFee <= userWithdrawLimitPerPeriod, "user withdraw limit exceeded");

#0 - hansfriese

2022-12-14T18:19:49Z

duplicate of #310

#1 - c4-judge

2022-12-19T09:49:05Z

Picodes marked the issue as duplicate of #310

#2 - c4-judge

2023-01-01T17:21:13Z

Picodes marked the issue as satisfactory

#3 - c4-judge

2023-01-09T20:34:44Z

Picodes changed the severity to 3 (High Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter