Back to broccolirob's contests

Sublime contest - broccolirob's results

Democratizing credit via Web3.

General Information

Platform: Code4rena

Start Date: 09/12/2021

Pot Size: $50,000 USDC

Total HM: 19

Participants: 21

Period: 7 days

Judge: 0xean

Total Solo HM: 14

Id: 61

League: ETH

Sublime

Findings Distribution

Researcher Performance

Rank: 15/21

Findings: 1

Award: $845.03

🌟 Selected for report: 1

πŸš€ Solo Findings: 1

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySublime

Findings Information

🌟 Selected for report: broccolirob

Labels

bug
2 (Med Risk)
disagree with severity

Awards

845.0261 USDC - $845.03

External Links

Link to GitHub issue

Handle

broccolirob

Vulnerability details

If a borrower calls the createPool function with a non-zero value, but also includes an ERC20 token address for _collateralToken, then the Ether value sent will be locked in the PoolFactory contract forever.

In the _createPool function, a _collateralToken address other than the zero address will set the amount variable to zero. That amount variable will be passed to create2 which will send 0 wei to the newly created Pool contract.

// _createPool L349
uint256 amount = _collateralToken == address(0) ? _collateralAmount : 0;

Impact

A borrower can accidentally lock Ether in the PoolFactory without the ability to retrieve it.

Proof of Concept

A borrower reuses a script they made to create a pool and deposit collateral. They intend to deposit Ether as collateral so they send value with the transaction, but forget to change the _collateralToken address to address(0). The Pool contract will be deployed using the _collateralToken, and will lock the Ether sent in the PoolFactory

Tools Used

Manual analysis and Hardhat.

If msg.value is greater than 0, make sure the _collateralToken address is set to address(0).

#0 - ritik99

2021-12-25T13:36:21Z

We will add this check but the scenario laid out is more about sanity checks on the side of the end-user. Assets are not stolen or compromised directly but because of user error. Such cases are better handled via UI/UX. We would suggest a (1) Low rating given the likelihood

#1 - 0xean

2022-01-21T00:34:08Z

Marking down to medium risk based on the c4 documentation and some external requirements on how this would have to occur.

2 β€” Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter