Back to ayeslick's contests

prePO contest - ayeslick's results

Decentralized Exchange for Pre-IPO Stocks & Pre-IDO Tokens.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $36,500 USDC

Total HM: 9

Participants: 69

Period: 3 days

Judge: Picodes

Total Solo HM: 2

Id: 190

League: ETH

prePO

Findings Distribution

Researcher Performance

Rank: 32/69

Findings: 1

Award: $210.78

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryprePO

Findings Information

🌟 Selected for report: Trust

Also found by: 0Kage, Parth, aviggiano, ayeslick, bin2chen, cccz, chaduke, fs0c, hansfriese, imare, mert_eren, rvierdiiev

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
duplicate-310

Awards

210.7761 USDC - $210.78

External Links

Link to GitHub issue

Lines of code

https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/WithdrawHook.sol#L53

Vulnerability details

Impact

An operator can bypass the withdrawal limits if he withdraws when the lastUserPeriodReset + userPeriodLength or lastGlobalPeriodReset + globalPeriodLength is less than the block.timestamp. This causes a DOS as well since globalAmountWithdrawnThisPeriod will be greater than globalWithdrawLimitPerPeriod which will prevent any one from withdrawing until lastGlobalPeriodReset + globalPeriodLength is less than the block.timestamp.

Proof of Concept

An operator deposits an amount that's greater than globalWithdrawLimitPerPeriod when lastGlobalPeriodReset + globalPeriodLength is just less than the block.timestamp. This allows the operator to deposit more than globalWithdrawLimitPerPeriod It also prevents other customers from withdrawing until lastGlobalPeriodReset + globalPeriodLength is less than the block.timestamp.

Place the require statement in the else block in the if block for both if statements.

if (lastGlobalPeriodReset + globalPeriodLength < block.timestamp) {
      require(globalAmountWithdrawnThisPeriod + _amountBeforeFee <= globalWithdrawLimitPerPeriod, "global withdraw limit exceeded");
      lastGlobalPeriodReset = block.timestamp;
      globalAmountWithdrawnThisPeriod = _amountBeforeFee;
    } else {
      require(globalAmountWithdrawnThisPeriod + _amountBeforeFee <= globalWithdrawLimitPerPeriod, "global withdraw limit exceeded");
      globalAmountWithdrawnThisPeriod += _amountBeforeFee;
    }

#0 - hansfriese

2022-12-14T17:56:52Z

duplicate of #310, mitigation seems to be incorrect

#1 - c4-judge

2022-12-17T21:46:48Z

Picodes marked the issue as duplicate of #310

#2 - c4-judge

2022-12-17T21:46:53Z

Picodes marked the issue as partial-50

#3 - Picodes

2022-12-17T21:47:00Z

Partial credit as the mitigation is incorrect

#4 - c4-judge

2023-01-01T17:20:30Z

Picodes marked the issue as satisfactory

#5 - c4-judge

2023-01-09T20:35:33Z

Picodes changed the severity to 3 (High Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter