Back to c7e7eff's contests

Inverse Finance contest - c7e7eff's results

Rethink the way you borrow.

General Information

Platform: Code4rena

Start Date: 25/10/2022

Pot Size: $50,000 USDC

Total HM: 18

Participants: 127

Period: 5 days

Judge: 0xean

Total Solo HM: 9

Id: 175

League: ETH

Inverse Finance

Findings Distribution

Researcher Performance

Rank: 42/127

Findings: 3

Award: $70.74

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryInverse Finance

Findings Information

🌟 Selected for report: trustindistrust

Also found by: 0xbepresent, Jujic, Lambda, RaoulSchaffranek, c7e7eff, catchup, codexploder, cryptonue, d3e4, eierina, jwood, pashov, peanuts, pedroais, simon135

Awards

33.634 USDC - $33.63

Labels

bug
2 (Med Risk)
satisfactory
duplicate-301

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L136

Vulnerability details

Impact

Currently governance roles are used in multiple high risk parameter changes like changing the collateral and liquidation factors. All these changes go into effect immediatly. In case of a key compromise this could be used to set the lender and removing all of the DOLA funds held by the Market, but also set the liquidation factor etc.

Proof of Concept

In the case of the Market contract the Governance can set the the LiquidationFactor, set the lender who in turn can transfer a large amount of DOLA from the market to themselves)

setLender() https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L136 recal() https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L203

setLiquidatoinFactor https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L161

setReplenishmentIncentive() https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L172 setLiquidationIncentiveBps() https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L183

In the case of the DBR contract the Operator can set the minter which in turn can mint any amount of DBR tokens to any address addMinter() https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/DBR.sol#L81 mint() https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/DBR.sol#L349

In the case of the oracle contract the operator can set a fixed price or change the feed for any token of the oracle: setFixedPrice() https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L61 setFeed(): https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L53

Tools Used

Manual review.

To protect against the impact of a possible governance key compromise placing a timelock on certain functions allows for proper action by the team and allow users to repay their loans and withdraw their collateral.

#0 - c4-judge

2022-11-06T15:03:16Z

0xean marked the issue as duplicate

#1 - Simon-Busch

2022-12-05T15:36:27Z

Issue marked as satisfactory as requested by 0xean

#2 - c4-judge

2022-12-07T08:22:04Z

Simon-Busch marked the issue as duplicate of #301

Findings Information

🌟 Selected for report: rbserver

Also found by: 0x1f8b, 0xNazgul, 0xc0ffEE, 8olidity, Aymen0909, Chom, Franfran, Jeiwan, Jujic, Lambda, M4TZ1P, Olivierdem, Rolezn, Ruhum, TomJ, Wawrdog, __141345__, bin2chen, c7e7eff, carlitox477, catchup, cccz, codexploder, cuteboiz, d3e4, dipp, djxploit, eierina, elprofesor, hansfriese, horsefacts, idkwhatimdoing, imare, immeas, joestakey, ladboy233, leosathya, martin, minhtrng, pashov, peanuts, pedroais, rokinot, rvierdiiev, saneryee, sorrynotsorry, tonisives

Awards

0.385 USDC - $0.38

Labels

bug
2 (Med Risk)
satisfactory
duplicate-584

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L116

Vulnerability details

Impact

Chainlink has deprecated their latestAnswer() API in favor of the latestRoundData(). The returned data should also be checked to be recent. Stale data could lead to a miscalculation of collateral value.

Proof of Concept

The Oracle's GetPrice() uses a deprecated function of the Chainlink API

function getPrice(address token, uint collateralFactorBps) external returns (uint) {
	...
	uint price = feeds[token].feed.latestAnswer();

Tools Used

Manual review

Use the latestRoundData() and check if the data is recent by comparing the roundIdand answeredInRound values.

function getPrice(address token, uint collateralFactorBps) external returns (uint) {
	...
	uint price = feeds[token].feed.latestAnswer();
	require(answeredInRound >= roundID, "Stale price data.");

#0 - neumoxx

2022-10-31T08:37:59Z

Duplicate of #601

#1 - c4-judge

2022-11-05T22:52:46Z

0xean marked the issue as duplicate

#2 - Simon-Busch

2022-12-05T15:29:59Z

Issue marked as satisfactory as requested by 0xean

#3 - c4-judge

2022-12-07T08:14:13Z

Simon-Busch marked the issue as duplicate of #584

Findings Information

🌟 Selected for report: 0x1f8b

Also found by: 0xNazgul, 0xSmartContract, Aymen0909, B2, Bnke0x0, Deivitto, Diana, Dinesh11G, ElKu, JC, Josiah, Rahoz, RaymondFam, ReyAdmirado, Rolezn, Waze, __141345__, adriro, aphak5010, brgltd, c3phas, c7e7eff, carlitox477, cducrest, ch0bu, chrisdior4, cryptonue, cryptostellar5, cylzxje, d3e4, delfin454000, enckrish, evmwanderer, fatherOfBlocks, gogo, hansfriese, horsefacts, immeas, leosathya, lukris02, neumo, oyc_109, pedr02b2, rbserver, robee, rotcivegaf, rvierdiiev, sakshamguruji, shark, simon135, tnevler, trustindistrust, wagmi

Awards

36.7345 USDC - $36.73

Labels

bug
QA (Quality Assurance)
grade-b
Q-48

External Links

Link to GitHub issue

Inverse Finance QA report

Low

L00 Use timestamp instead of nonce for EIP712 signed structures

EIP is meant to be make the message to sign human readable. A nonce doesn't mean anything to a human. Using a signedAt field in the form of a timestamp (similar to the deadline) makes it possible for wallets to present this information as human readable date and time. The increasing the nonce can then be replaced by setting an 'invalid before' timestamp before which all signed messages become invalid.

L01 Change of governance/operator should be a 2 step approach

Setting the governance or operator address in 1 step is prone to setting it to the wrong address in which case it cannot be recovered. A 2 step approach (setPending/claim) is recommended as is already done in some other contracts. Personally I feel this qualifies at least as a medium risk, but I know there is some discussion about the risk level so I have put is as a low risk.

L02 Feed tokenDecimals should be taken form the token contract itself

The decimals for the collateral ERC20 token should be taken from the contract itself instead of taking it as a parameter. The token contract is given as the first parameter so calling decimals() on the token contract eliminates any possible misconfiguration.

L03 Governance and operator functions do not emit events

Multiple governance functions do not emit appropriate events. These events allow monitoring of certain actions taken on the contract.

Non Critical

NC00

no @param specified for collateralFactorBps

#0 - c4-judge

2022-11-08T00:41:25Z

0xean marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter