Platform: Code4rena
Start Date: 22/09/2022
Pot Size: $30,000 USDC
Total HM: 12
Participants: 133
Period: 3 days
Judge: 0xean
Total Solo HM: 2
Id: 165
League: ETH
Rank: 11/133
Findings: 3
Award: $630.32
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: ladboy233
Also found by: 0xSmartContract, 8olidity, Aymen0909, Chom, IllIllI, OptimismSec, PaludoX0, TomJ, ayeslick, cccz, csanuragjain, joestakey, neko_nyaa, pashov, peritoflores, rbserver, rvierdiiev
19.982 USDC - $19.98
https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L192
There can be a period of time between a customer calling the submit function and someone calling the depositEther function. During this time a malicious/compromised admin(s) can call the recoverEther function specifying an amount and removing it from the contract.
Depositors deposit 30 ETH into the contract over so much time.
Malicious/Compromised Admin(s) calls the recoverEther function and drains the contract.
Remove this function
#0 - FortisFortuna
2022-09-25T21:23:39Z
We are well aware of the permission structure. The owner will most likely be a large multisig. We mentioned the Frax Multisig in the scope too. If moving funds, it is assumed someone in the multisig would catch an invalid or malicious address.
#1 - joestakey
2022-09-26T16:24:28Z
Duplicate of #107
🌟 Selected for report: ronnyx2017
Also found by: ayeslick, rvierdiiev
https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L166
A malicious/compromised admin(s) can set the to address to the frxETHMinter contract, “sending” ETH to the contract triggering the receive function. This leads to the contract minting more frxETHToken devaluing it.
Depositors deposit 50 ETH into the contract with 10 ETH being assigned to the currentWithheldETH variable.
A malicious/compromised admin(s) sets the to address to the frxETHMinter contract and the amount to 10 ETH.
Once called the contract will mint 10 additional frxETHToken even though no new ETH was deposited into the contract.
Don’t allow the to address to be set to the frxETHMinter contract address.
#0 - FortisFortuna
2022-09-25T23:12:04Z
We are well aware of the permission structure. The owner will most likely be a large multisig. We mentioned the Frax Multisig in the scope too. If moving funds, it is assumed someone in the multisig would catch an invalid or malicious address.
#1 - joestakey
2022-09-26T16:25:04Z
Duplicate of #221
🌟 Selected for report: rotcivegaf
Also found by: 0x040, 0x1f8b, 0x4non, 0xNazgul, 0xSmartContract, 0xf15ers, 8olidity, Aymen0909, B2, Bahurum, Bnke0x0, Ch_301, CodingNameKiki, Deivitto, Diana, Funen, IllIllI, JC, JLevick, KIntern_NA, Lambda, OptimismSec, PaludoX0, RockingMiles, Rolezn, Sm4rty, Soosh, Tagir2003, Tointer, TomJ, Triangle, Trust, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, asutorufos, ayeslick, aysha, bbuddha, bharg4v, bobirichman, brgltd, bytera, c3phas, cryptostellar5, cryptphi, csanuragjain, datapunk, delfin454000, durianSausage, exd0tpy, gogo, got_targ, jag, joestakey, karanctf, ladboy233, leosathya, lukris02, mics, millersplanet, natzuu, neko_nyaa, obront, oyc_109, parashar, peritoflores, rbserver, ret2basic, rokinot, ronnyx2017, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, tnevler, yasir, yongskiws
28.0275 USDC - $28.03
OperatorRegistry:
setTimeLock: The function doesn’t make sure the address is a contract
Recommendation: Check the address to make sure it’s a contract.
addValidator: The function allows for duplicate validators
Recommendation: Check if the validator is already within the array. If it is revert if not add.
popValidators: Should set the upper limit of the loop by the number of validators there are in the array.
swapValidators: An admin can swap indexes using the same index i.e. swapping 0 index with the 0 index.
Recommendations: Enforce swaps with indexes different from each other, i.e. swaps should be between 0 index and 1 index not 0 index and 0 index.