Back to clems4ever's contests

GoGoPool contest - clems4ever's results

Liquid staking for Avalanche.

General Information

Platform: Code4rena

Start Date: 15/12/2022

Pot Size: $128,000 USDC

Total HM: 28

Participants: 111

Period: 19 days

Judge: GalloDaSballo

Total Solo HM: 1

Id: 194

League: ETH

GoGoPool

Findings Distribution

Researcher Performance

Rank: 110/111

Findings: 1

Award: $4.97

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryGoGoPool

Findings Information

🌟 Selected for report: 0xdeadbeef0x

Also found by: 0Kage, 0xc0ffEE, 0xmint, AkshaySrivastav, Allarious, Ch_301, Franfran, HollaDieWaldfee, IllIllI, Jeiwan, Lirios, Manboy, adriro, ak1, bin2chen, caventa, chaduke, clems4ever, cozzetti, datapunk, imare, immeas, kaliberpoziomka8552, ladboy233, pauliax, peritoflores, rvierdiiev, sces60107, sk8erboy, stealthyz, unforgiven, wagmi, wallstreetvilkas, yixxas

Awards

4.9672 USDC - $4.97

Labels

bug
3 (High Risk)
partial-50
duplicate-213

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L244 https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MinipoolManager.sol#L259

Vulnerability details

Impact

Node operator and stakers rewards can be wiped out by an anonymous user.

Proof of Concept

https://gist.github.com/clems4ever/f2e1d03323aeab2d489e6bec16996f37

Simply copy paste this gist into the test file and it should work.

Tools Used

Manual review

If it's not a creation of a new minipool, revert if someone else than the owner calls it. Also do not reset the values before the rewards have been claimed.

#0 - 0xminty

2023-01-04T00:03:42Z

dupe of #805

#1 - GalloDaSballo

2023-01-09T12:35:25Z

Recommend adding all info into the submission directly

#2 - c4-judge

2023-01-09T12:37:18Z

GalloDaSballo marked the issue as duplicate of #213

#3 - c4-judge

2023-02-03T12:33:01Z

GalloDaSballo changed the severity to 2 (Med Risk)

#4 - c4-judge

2023-02-03T19:26:10Z

GalloDaSballo changed the severity to 3 (High Risk)

#5 - c4-judge

2023-02-08T08:26:45Z

GalloDaSballo changed the severity to 2 (Med Risk)

#6 - c4-judge

2023-02-08T08:50:11Z

GalloDaSballo changed the severity to 3 (High Risk)

#7 - c4-judge

2023-02-08T20:27:31Z

GalloDaSballo marked the issue as partial-25

#8 - c4-judge

2023-02-08T20:27:43Z

GalloDaSballo marked the issue as partial-50

#9 - GalloDaSballo

2023-02-08T20:27:49Z

Coded POC, but missing description

#10 - c4-judge

2023-02-09T08:53:06Z

GalloDaSballo changed the severity to QA (Quality Assurance)

#11 - Simon-Busch

2023-02-09T12:46:07Z

Changed severity back from QA to H as requested by @GalloDaSballo

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter