Back to catchup's contests

Tribe Turbo contest - catchup's results

A new DeFi primitive that allows any token to become productive and provide FEI liquidity at no cost to the markets that need it most.

General Information

Platform: Code4rena

Start Date: 17/02/2022

Pot Size: $75,000 USDC

Total HM: 7

Participants: 23

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 2

Id: 92

League: ETH

Tribe

Findings Distribution

Researcher Performance

Rank: 15/23

Findings: 2

Award: $420.84

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTribe

Findings Information

🌟 Selected for report: csanuragjain

Also found by: 0x1f8b, Dravee, IllIllI, Picodes, Ruhum, WatchPug, asgeir, catchup, cmichel, defsec, hyh, kenta, nascent, pauliax, robee, samruna

Awards

274.1542 USDC - $274.15

Labels

bug
QA (Quality Assurance)
sponsor acknowledged

External Links

Link to GitHub issue

C4 finding submitted: (risk = 1 (Low Risk)) Slurp function may revert when it shouldn't

Lines of code

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L260

Vulnerability details

Impact

slurp function checking for a non-zero getTotalFeiBoostedForVault[vault] value may cause problems.

Proof of Concept

1-Alice boosts vault V with 100 tokens. getTotalFeiBoostedForVault[vault] = 100 2-After sometime, vault accrues 1 interest. 3-Alice lesses vault V for 100 tokens. getTotalFeiBoostedForVault[vault] = 0 4-When slurp is called, it will revert although vault has 1 token.

Tools Used

Manual analysis

Check against interestEarned instead. First 2 lines of the function can be changed as:

    // Compute the amount of Fei interest the Safe generated by boosting the Vault.
    uint256 interestEarned = vault.assetsOf(address(this)) - getTotalFeiBoostedForVault[vault];

// Ensure the Safe has earned interest in the Vault.
    require(interestEarned != 0, "NO_FEI_BOOSTED");

C4 finding submitted: (risk = 1 (Low Risk)) Non-zero recipient address checks are missing.

Lines of code

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L306 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L335 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L318 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboGibber.sol#L74 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboGibber.sol#L98

Vulnerability details

Impact

If the recipient address is zero, tokens will be burnt accidentially. It is a good practice to check the address is non-zero.

Proof of Concept

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L306 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L335 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L318 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboGibber.sol#L74 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboGibber.sol#L98

Tools Used

Manual analysis

Add a non-zero address check before token transfers require(to != address(0), "Zero address");

C4 finding submitted: (risk = 0 (Non-critical)) There are 2 sweep functions and TokenSweeped events

Lines of code

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L300 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L306 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L312 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L318

Vulnerability details

Impact

It is not a good practice to use exact same function names for 2 different functions. Also the created events are exactly the same, so it would not be possible to distinguish master sweeps events from safe sweep events.

Proof of Concept

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L300 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L306 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L312 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L318

Tools Used

Manual analysis

Rename the sweep functions and their events, so that they can be distinguished.

#0 - GalloDaSballo

2022-03-19T16:43:01Z

Revert on nonZero -> Pretty good finding, may be ideal to slurp on less Address zero check -> Agree by convention Sweep convention -> Personally disagree as the function does the same thing, the tweaks are for context

I appreciated that the warden put links for the findings, making mitigation easier.

I think formatting could have been done a lot better, especially titles, linking to sections and overall making the report easier to scan through.

#1 - GalloDaSballo

2022-03-20T14:58:27Z

4/10

Findings Information

🌟 Selected for report: nascent

Also found by: 0v3rf10w, CertoraInc, Dravee, IllIllI, Picodes, Tomio, WatchPug, catchup, csanuragjain, gzeon, kenta, robee, samruna

Labels

bug
G (Gas Optimization)

Awards

146.6876 USDC - $146.69

External Links

Link to GitHub issue

C4 finding submitted: (Gas) Missing non-zero amount checks

Lines of code

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L318 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L171 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L210 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L306

Vulnerability details

Impact

Functions do not check if the amount is non-zero. A zero amount would result in unnecessary transaction and gas usage.

Proof of Concept

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L318 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L171 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L210 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L306

Tools Used

Manual analysis

Check if the amount is non-zero

C4 finding submitted: (Gas) Changing the order in boost function can save gas

Lines of code

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L191

Vulnerability details

Impact

require(feiTurboCToken.borrow(feiAmount) == 0, "BORROW_FAILED"); can be called just after master.onSafeBoost(asset, vault, feiAmount); In case the borrow fails and reverts, the intermediate steps would be avoided.

Proof of Concept

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L191

Tools Used

Manual analysis

Change the order as: // Ensure the Vault accepts Fei asset. require(vault.asset() == fei, "NOT_FEI");

    // Call the Master where it will do extra validation
    // and update it's total count of funds used for boosting.
    master.onSafeBoost(asset, vault, feiAmount);

    // Borrow the Fei amount from the Fei cToken in the Turbo Fuse Pool.
    require(feiTurboCToken.borrow(feiAmount) == 0, "BORROW_FAILED");

.
.

#0 - GalloDaSballo

2022-03-07T01:41:48Z

I think the formatting on this submission went wrong, and would recommend the warden to always try their MD submission on a preview tool before submitting

I don't think the sponsor likes 0 checks

3/10

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter