Back to cloudjunky's contests

Juicebox V2 contest - cloudjunky's results

The decentralized fundraising and treasury protocol.

General Information

Platform: Code4rena

Start Date: 01/07/2022

Pot Size: $75,000 USDC

Total HM: 17

Participants: 105

Period: 7 days

Judge: Jack the Pug

Total Solo HM: 5

Id: 143

League: ETH

Juicebox

Findings Distribution

Researcher Performance

Rank: 105/105

Findings: 1

Award: $3.41

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryJuicebox

Findings Information

🌟 Selected for report: horsefacts

Also found by: 0x1f8b, 0x29A, 0x52, 0xf15ers, AlleyCat, Ch_301, Chom, Franfran, IllIllI, Kaiziron, Limbooo, Meera, Ruhum, Sm4rty, apostle0x01, berndartmueller, cccz, cloudjunky, codexploder, cryptphi, delfin454000, durianSausage, fatherOfBlocks, hake, hansfriese, hyh, jonatascm, m_Rassska, oyc_109, peritoflores, rajatbeladiya, rbserver, svskaushik, zzzitron

Awards

3.4075 USDC - $3.41

Labels

bug
duplicate
2 (Med Risk)
valid

External Links

Link to GitHub issue

Lines of code

https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBERC20PaymentTerminal.sol#L99 https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBETHERC20ProjectPayer.sol#L364 https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBETHERC20ProjectPayer.sol#L412 https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBETHERC20SplitsPayer.sol#L493

Vulnerability details

Issue

The .approve() call is the sole responsibility of the _beforeTransferTo() function which is called in JBERC20PaymentTerminal.sol and multiple times in JBPayoutRedemptionPaymentTerminal.sol.

There are some examples where .approve() is used but the return value is checked;

  1. L99 in JBERC20PaymentTerminal.sol uses an unsafe approve() function and doesn’t check the return value or revert if not true.
  2. L364 in JBETHERC20ProjectPayer.sol uses an unsafe approve() function and doesn’t check the return value or revert if not true.
  3. L412 in JBETHERC20ProjectPayer.sol uses an unsafe approve() function and doesn’t check the return value or revert if not true.
  4. L493 in JBETHERC20SplitsPayer.sol uses an unsafe approve() function and doesn’t check the return value or revert if not true.

Proof of Concept

Some ERC20 tokens return false and because the return value is not checked subsequent transfers may fail. The contract can enter an unknown state - inferring that approvals have taken place in error.

Furthermore .approve() is unsafe as it can be front-run in specific scenarios.

Tools Used

Vim

A better alternative would be to use Openzeppelin’s SafeERC20 library safe variants .safeIncreaseAllowance() and .safeDecreaseAllowance(). Please do not use .safeApprove() as it has been deprecated.

#0 - mejango

2022-07-12T18:32:55Z

dup #281

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter