Back to cccz's contests

Anchor contest - cccz's results

The Benchmark DeFi Yield.

General Information

Platform: Code4rena

Start Date: 24/02/2022

Pot Size: $170,000 UST

Total HM: 15

Participants: 16

Period: 14 days

Judge: Albert Chon

Total Solo HM: 11

Id: 82

League: COSMOS

Anchor

Findings Distribution

Researcher Performance

Rank: 15/16

Findings: 1

Award: $572.98

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAnchor

Findings Information

🌟 Selected for report: hickuphh3

Also found by: 0xliumin, 0xwags, BondiPestControl, IllIllI, WatchPug, broccoli, cccz, cmichel, defsec, gzeon, hubble, robee

Labels

QA (Quality Assurance)

Awards

572.9757 USDC - $572.98

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L177-L201

Vulnerability details

Impact

When the handleToken method is called in the CrossAnchorBridge contract, the address of the token is not restricted. When the user uses fee-on-transfer tokens, the actual number of tokens received by the contract will be less than the amount, and when the transferTokens method of the WormholeTokenBridge contract is called, tokens of other users will be transferred.

Proof of Concept

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L177-L201

Tools Used

None

Consider getting the received amount by calculating the difference of token balance (using balanceOf) before and after the transferFrom.

#0 - GalloDaSballo

2022-08-04T23:36:26Z

Dup of #68

#1 - GalloDaSballo

2022-08-04T23:36:46Z

Recommend Lowering severity (Med at most)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter