Back to cccz's contests

Backd Tokenomics contest - cccz's results

Maximize the power of your assets and start earning yield

General Information

Platform: Code4rena

Start Date: 27/05/2022

Pot Size: $75,000 USDC

Total HM: 20

Participants: 58

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 15

Id: 131

League: ETH

Backd

Findings Distribution

Researcher Performance

Rank: 23/58

Findings: 1

Award: $224.21

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBackd

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, 0xNazgul, 0xf15ers, BowTiedWardens, Chom, Funen, Kaiziron, Kumpa, MiloTruck, Picodes, Ruhum, SecureZeroX, Sm4rty, SmartSek, StyxRave, WatchPug, Waze, asutorufos, bardamu, berndartmueller, c3phas, catchup, cccz, codexploder, cryptphi, defsec, delfin454000, dipp, fatherOfBlocks, gzeon, hake, hansfriese, hyh, masterchief, oyc_109, sach1r0, sashik_eth, shenwilly, simon135, unforgiven

Awards

224.2059 USDC - $224.21

Labels

bug
disagree with severity
QA (Quality Assurance)
sponsor confirmed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/KeeperGauge.sol#L157-L161

Vulnerability details

Impact

When the Gauge is killed, the advanceEpoch and kill functions can still be called to make epoch+1, while the reportFees function cannot be called to update the value of perPeriodTotalFees, which will cause perPeriodTotalFees[epoch] == 0. Later if the user calls the claimRewards function, the default epoch parameter will cause a divide by zero crash in the code below.

for (uint256 i = startEpoch; i < endEpoch; i = i.uncheckedInc()) {
             totalClaimable += (
                 keeperRecords[beneficiary].feesInPeriod[i].scaledDiv(perPeriodTotalFees[i])
             ).scaledMul(perPeriodTotalInflation[i]);
         }

Proof of Concept

https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/KeeperGauge.sol#L157-L161 https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/KeeperGauge.sol#L96-L100 https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/KeeperGauge.sol#L57-L62

Tools Used

None

Require killed to be false in poolCheckpoint function

    function poolCheckpoint() public override returns (bool) {
-       if (killed) return false;
+      require(!killed);
        uint256 timeElapsed = block.timestamp - uint256(lastUpdated);
        uint256 currentRate = IController(controller).inflationManager().getKeeperRateForPool(pool);
        perPeriodTotalInflation[epoch] += currentRate * timeElapsed;
        lastUpdated = uint48(block.timestamp);
        return true;
    }

#0 - danhper

2022-06-06T15:29:50Z

This should be QA severity. This is not particularly likely since it would require the governance to call advanceKeeperGaugeEpoch on a killed pool. Furthermore, the impact is extremely low since the user would simply have to explicitly pass in the endEpoch parameter when claiming rewards.

#1 - GalloDaSballo

2022-06-19T00:01:16Z

I believe the finding to be valid in that, epoch does continue to increase, I also believe that impact is minimal and DOS is completely dodgeable because of endEpoch being a user-provided parameters.

For those reasons I believe QA to be more appropriate

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter