Back to chaduke's contests

Trader Joe v2 contest - chaduke's results

One-stop-shop decentralized trading on Avalanche.

General Information

Platform: Code4rena

Start Date: 14/10/2022

Pot Size: $100,000 USDC

Total HM: 12

Participants: 75

Period: 9 days

Judge: GalloDaSballo

Total Solo HM: 1

Id: 171

League: ETH

Trader Joe

Findings Distribution

Researcher Performance

Rank: 41/75

Findings: 2

Award: $0.98

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTrader Joe

Findings Information

🌟 Selected for report: Lambda

Also found by: 0x52, Aymen0909, KingNFT, MiloTruck, RustyRabbit, The_GUILD, bctester, chaduke, imare, indijanc, ladboy233, phaze, zzzitron

Labels

2 (Med Risk)
satisfactory
duplicate-108

Awards

0.9728 USDC - $0.97

External Links

Link to GitHub issue

Judge has assessed an item in Issue #75 as M risk. The relevant finding follows:

Line 237, _beforeTokenTransfer(address(0), _account, _id, _amount); should be beforeTokenTransfer(account, address(0), _id, _amount);

#0 - c4-judge

2022-11-14T23:02:55Z

GalloDaSballo marked the issue as duplicate of #108

#1 - Simon-Busch

2022-12-05T06:36:08Z

Marked this issue as Satisfactory as requested by @GalloDaSballo

Findings Information

🌟 Selected for report: 0xSmartContract

Also found by: Aymen0909, Dravee, Josiah, M4TZ1P, Mukund, Nyx, SooYa, catchup, cccz, chaduke, csanuragjain, djxploit, hansfriese, ladboy233, leosathya, pashov, rvierdiiev, sorrynotsorry, supernova, vv7, wagmi, zzykxx

Awards

0.006 USDC - $0.01

Labels

bug
2 (Med Risk)
disagree with severity
downgraded by judge
satisfactory
duplicate-139

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBFactory.sol#L474

Vulnerability details

Impact

Detailed description of the impact of this finding. The LBFactory contract allows the owner to set a new flashLoanFee via the setFalthLoanFee function, and leaves much power for the owner. If the owner, being it a user or a contract, the consequence to flash loan might be huge.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBFactory.sol#L474

Tools Used

Remix

Introduce a if-revert check to ensure that the new _flashLoanFee is within a range. In addition, include the owner information in the emit statement to improve accountability since the owner might be changing.

#0 - Shungy

2022-10-25T05:15:00Z

I believe this finding to be technically valid but of lower severity.

My reasoning is stated in a similar finding: https://github.com/code-423n4/2022-10-traderjoe-findings/issues/472#issuecomment-1288454510

#1 - GalloDaSballo

2022-10-27T21:16:03Z

Dup of https://github.com/code-423n4/2022-10-traderjoe-findings/issues/138

#2 - 0x0Louis

2022-10-28T22:17:50Z

Aligned with Shungy, valid but of a lower severity, especially given the fact that it's for flash loan

#3 - c4-judge

2022-11-13T21:59:02Z

GalloDaSballo changed the severity to 2 (Med Risk)

#4 - c4-judge

2022-11-23T18:38:14Z

GalloDaSballo marked the issue as not a duplicate

#5 - c4-judge

2022-11-23T18:38:54Z

GalloDaSballo marked the issue as duplicate of #139

#6 - Simon-Busch

2022-12-05T06:32:36Z

Marked this issue as Satisfactory as requested by @GalloDaSballo

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter