Back to cccz's contests

Backed Protocol contest - cccz's results

Protocol for peer to peer NFT-Backed Loans.

General Information

Platform: Code4rena

Start Date: 05/04/2022

Pot Size: $30,000 USDC

Total HM: 10

Participants: 47

Period: 3 days

Judge: gzeon

Total Solo HM: 4

Id: 106

League: ETH

Backed Protocol

Findings Distribution

Researcher Performance

Rank: 24/47

Findings: 1

Award: $139.95

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBacked Protocol

Findings Information

🌟 Selected for report: 0xDjango

Also found by: Dravee, IllIllI, Ruhum, cccz, csanuragjain, robee

Labels

bug
duplicate
2 (Med Risk)

Awards

139.9476 USDC - $139.95

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-backed/blob/main/contracts/NFTLoanFacilitator.sol#L129-L227

Vulnerability details

Impact

loanAssetContractAddress is specified by the user when the user creates a loan. When loanAssetContractAddress is fee-on-transfer tokens, in the lend function, the actual amount of tokens received by the contract will be less than the amount, so that the user can avoid the contract charging fees, or directly use the fees stored in the contract to pay subsequent fees.

Proof of Concept

https://github.com/code-423n4/2022-04-backed/blob/main/contracts/NFTLoanFacilitator.sol#L129-L227

Tools Used

None

Consider getting the received amount by calculating the difference of token balance (using balanceOf) before and after the transferFrom.

#0 - wilsoncusack

2022-04-06T12:13:14Z

duplicate. I think the borrowers/lenders should know risks of using these tokens

#1 - wilsoncusack

2022-04-06T20:01:01Z

#33

#2 - gzeoneth

2022-04-15T13:03:02Z

Duplicate of #75

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter