Back to cccz's contests

Canto Dex Oracle contest - cccz's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 07/09/2022

Pot Size: $20,000 CANTO

Total HM: 7

Participants: 65

Period: 1 day

Judge: 0xean

Total Solo HM: 3

Id: 159

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 11/65

Findings: 1

Award: $210.46

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: Chom

Also found by: 0xSmartContract, Jeiwan, SinceJuly, V_B, cccz, linmiaomiao

Labels

bug
duplicate
2 (Med Risk)

Awards

1303.145 CANTO - $210.46

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L487-L508

Vulnerability details

Impact

In the getUnderlyingPrice function, the price of some ctokens is determined based on their symbols rather than their addresses. This means that when there are tokens with the same symbol as cCANTO, cNOTE, cUSDT, cUSDC, they will have the same price. And if the token symbols of cCANTO, cNOTE, cUSDT, cUSDC are updated (like adding version numbers), getUnderlyingPrice will no longer work.

Proof of Concept

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L487-L508

Tools Used

None

Consider storing the addresses of these tokens and determining the price based on the addresses.

#0 - nivasan1

2022-09-10T17:20:54Z

duplicate #24

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter