Platform: Code4rena
Start Date: 19/04/2022
Pot Size: $30,000 USDC
Total HM: 10
Participants: 43
Period: 3 days
Judges: moose-code, JasoonS
Total Solo HM: 7
Id: 90
League: ETH
Rank: 9/43
Findings: 2
Award: $906.87
🌟 Selected for report: 2
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/IndexLogic.sol#L48
In the mint function of the IndexLogic contract, users are required to transfer assets to vToken in advance, and then call the mint function to mint tokens. The attacker can monitor the asset balance in the vToken contract. When the balance is greater than lastBalance, the attacker can call the mint function to mint tokens for himself.
https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/IndexLogic.sol#L48
None
Call the transferfrom function in the mint function of the IndexLogic contract to transfer the user's assets
#0 - jn-lp
2022-05-11T14:26:10Z
We don't expect users to directly call the Mint/Burn functions on Index. Instead, they should use the Router contract, as our frontend does.
#1 - moose-code
2022-05-23T15:11:07Z
There is no mention of the router contract in the contest documentation and this is unreasonable for wardens to know about the Router.
"We would like wardens to focus on any core functional logic, boundary case errors or similar issues which could be utilized by an attacker to take funds away from clients who have funds deposited in the protocol."
This a core logic error that could be used to take funds away from clients and given there is no mention of the router and only part of the code is submitted, I am siding with the wardens on this and awarding in full.
22.0499 USDC - $22.05
https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/ChainlinkPriceOracle.sol#L83-L84
On ChainlinkPriceOracle.sol, we are using latestRoundData, but there is no check if the return value indicates stale data.
(, int basePrice, , , ) = baseAggregator.latestRoundData(); (, int quotePrice, , , ) = assetInfo.aggregator.latestRoundData();
This could lead to stale prices according to the Chainlink documentation:
https://docs.chain.link/docs/historical-price-data/#historical-rounds https://docs.chain.link/docs/faq/#how-can-i-check-if-the-answer-to-a-round-is-being-carried-over-from-a-previous-round
https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/ChainlinkPriceOracle.sol#L83-L84
None
Consider adding missing checks for stale data.
For example:
(uint80 baseRoundID, int256 basePrice, , uint256 baseTimestamp, uint80 BaseAnsweredInRound) = baseAggregator.latestRoundData(); (uint80 quoteRoundID, int256 quotePrice, , uint256 quoteTimestamp, uint80 quoteAnsweredInRound) = assetInfo.aggregator.latestRoundData(); require(BaseAnsweredInRound >= baseRoundID && quoteAnsweredInRound >= quoteRoundID, "Stale price"); require(baseTimestamp != 0 && quoteTimestamp != 0 ,"Round not complete"); require(basePrice > 0 && quotePrice > 0,"Chainlink answer reporting 0");
#0 - moose-code
2022-05-24T11:44:50Z
Confirming medium issue across the board.