Caviar Private Pools - ayden's results

A fully on-chain NFT AMM that allows you to trade every NFT in a collection.

General Information

Platform: Code4rena

Start Date: 07/04/2023

Pot Size: $47,000 USDC

Total HM: 20

Participants: 120

Period: 6 days

Judge: GalloDaSballo

Total Solo HM: 4

Id: 230

League: ETH

Caviar

Findings Distribution

Researcher Performance

Rank: 81/120

Findings: 2

Award: $26.07

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Caviar

Findings Information

🌟 Selected for report: sashik_eth

Also found by: 0x4non, 0x6980, 0xAgro, Cryptor, Kaysoft, Kenshin, Madalad, SaeedAlipoor01988, Sathish9098, W0RR1O, adriro, ayden, btk, catellatech, codeslide, devscrooge, georgits, giovannidisiena, lukris02, matrix_0wl, sayan, tnevler, tsvetanovv

Awards

23.0813 USDC - $23.08

Labels

3 (High Risk)

satisfactory

duplicate-167

External Links

Link to GitHub issue

Judge has assessed an item in Issue #344 as 3 risk. The relevant finding follows:

https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L230#L231 https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L323#L324 To ensure that there is no overflow when converting uint256 to uint128,and the totalNetInputAmount can be extracted so that it does not need to be calculated again later

virtualBaseTokenReserves += uint128(netInputAmount - feeAmount - protocolFeeAmount);
virtualNftReserves -= uint128(weightSum);

uint256 totalNetInputAmount = netInputAmount - feeAmount - protocolFeeAmount;
require(uint128(totalNetInputAmount) == totalNetInputAmount, "totalNetInputAmount is not an int");
require(uint128(weightSum) == weightSum, "weightSum is not an int");

#0 - c4-judge
2023-05-04T16:55:57Z

GalloDaSballo marked the issue as duplicate of #167

#1 - c4-judge
2023-05-04T16:56:34Z

GalloDaSballo marked the issue as satisfactory

Findings Information

🌟 Selected for report: adriro

Also found by: 0x4non, 0x5rings, 0xLanterns, 0xWeiss, 0xbepresent, Brenzee, ElKu, Kek, Koolex, Naubit, T1MOH, ToonVH, anodaram, aviggiano, ayden, chaduke, ck, cryptonue, giovannidisiena, indijanc, joestakey, saian, shaka, yixxas

Awards

2.9913 USDC - $2.99

Labels

bug

2 (Med Risk)

low quality report

partial-50

duplicate-858

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L736

Vulnerability details

Impact

Let's say when the ERC20 token is USDC with a decimal value of 6, dividing by 1e18 would result in a value that is too small

Proof of Concept

function changeFeeQuote(uint256 inputAmount) public view returns (uint256 feeAmount, uint256 protocolFeeAmount) {
    // multiply the changeFee to get the fee per NFT (4 decimals of accuracy)
    uint256 exponent = baseToken == address(0) ? 18 - 4 : ERC20(baseToken).decimals() - 4;
    uint256 feePerNft = changeFee * 10 ** exponent;

    feeAmount = inputAmount * feePerNft / 1e18;
    protocolFeeAmount = feeAmount * Factory(factory).protocolFeeRate() / 10_000;
}

Tools Used

Manual

Recommended Mitigation Steps

    function changeFeeQuote(uint256 inputAmount) public view returns (uint256 feeAmount, uint256 protocolFeeAmount) {
        // multiply the changeFee to get the fee per NFT (4 decimals of accuracy)
        uint256 exponent = baseToken == address(0) ? 18 - 4 : ERC20(baseToken).decimals() - 4;
        uint256 feePerNft = changeFee * 10 ** exponent;

        feeAmount = inputAmount * feePerNft / 10 ** (exponent+4);
        protocolFeeAmount = feeAmount * Factory(factory).protocolFeeRate() / 10_000;
    }

#0 - c4-pre-sort
2023-04-20T10:19:49Z

0xSorryNotSorry marked the issue as low quality report

#1 - c4-judge
2023-05-01T19:16:12Z

GalloDaSballo marked the issue as duplicate of #858

#2 - c4-judge
2023-05-01T19:16:19Z

GalloDaSballo marked the issue as partial-50

#3 - GalloDaSballo
2023-05-01T19:16:28Z

Would have benefitted by having more details, 50%

Caviar Private Pools - ayden's results

A fully on-chain NFT AMM that allows you to trade every NFT in a collection.

General Information

Findings Distribution

Researcher Performance

External Links

[H-03] Upgraded Q -> 3 from #344 [1683218670048] - $23.08

Findings Information

Awards

Labels

External Links

#0 - c4-judge2023-05-04T16:55:57Z

#1 - c4-judge2023-05-04T16:56:34Z

[M-04] It is not reasonable to uniformly divide by 1e18 when calculating the feeAmount - $2.99

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - c4-pre-sort2023-04-20T10:19:49Z

#1 - c4-judge2023-05-01T19:16:12Z

#2 - c4-judge2023-05-01T19:16:19Z

#3 - GalloDaSballo2023-05-01T19:16:28Z

#0 - c4-judge
2023-05-04T16:55:57Z

#1 - c4-judge
2023-05-04T16:56:34Z

#0 - c4-pre-sort
2023-04-20T10:19:49Z

#1 - c4-judge
2023-05-01T19:16:12Z

#2 - c4-judge
2023-05-01T19:16:19Z

#3 - GalloDaSballo
2023-05-01T19:16:28Z