Back to cryptonue's contests

Fraxlend (Frax Finance) contest - cryptonue's results

Fraxlend: A permissionless lending platform and the final piece of the Frax Finance Defi Trinity.

General Information

Platform: Code4rena

Start Date: 12/08/2022

Pot Size: $50,000 USDC

Total HM: 15

Participants: 120

Period: 5 days

Judge: Justin Goro

Total Solo HM: 6

Id: 153

League: ETH

Frax Finance

Findings Distribution

Researcher Performance

Rank: 83/120

Findings: 1

Award: $45.84

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFrax Finance

Findings Information

🌟 Selected for report: 0x1f8b

Also found by: 0x52, 0xA5DF, 0xDjango, 0xNazgul, 0xNineDec, 0xSmartContract, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, EthLedger, Funen, IllIllI, JC, Junnon, Lambda, LeoS, MiloTruck, Noah3o6, PaludoX0, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, SaharAP, Sm4rty, SooYa, The_GUILD, TomJ, Waze, Yiko, _Adam, __141345__, a12jmx, ak1, asutorufos, auditor0517, ayeslick, ballx, beelzebufo, berndartmueller, bin2chen, brgltd, c3phas, cRat1st0s, cccz, cryptonue, cryptphi, d3e4, delfin454000, dipp, djxploit, durianSausage, dy, erictee, fatherOfBlocks, gogo, gzeon, hyh, ignacio, kyteg, ladboy233, medikko, mics, minhquanym, oyc_109, pfapostol, rbserver, reassor, ret2basic, robee, sach1r0, simon135, sryysryy, tabish, yac, yash90, zzzitron

Awards

45.8358 USDC - $45.84

Labels

bug
downgraded by judge
QA (Quality Assurance)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairDeployer.sol#L44 https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#L46 https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendWhitelist.sol#L30

Vulnerability details

Impact

If we look at these contracts:

  • FraxlendPairDeployer.sol
  • FraxlendPairCore.sol
  • FraxlendWhitelist.sol

All of them inherits OpenZeppelin Ownable contract. This ownable contract is a standard way of owning a contract. But there is a potential issue within the Ownable contract, it allows for the transfer of ownership without validating that the address is a valid address in control of some expected recipient. If this function is used incorrectly, mistype, or any unexpected input, the admin user might be lost and potentially locked up for future usage.

This is categorized as a medium severity, similar to previous reported contests, because this could impact availability of protocol. https://code4rena.com/reports/2021-11-bootfinance#m-12-no-transfer-ownership-pattern

Consider implementing a transfer-accept ownership pattern or two-step process in those contracts when transfering ownership. This allow an owner to accept the transfer insuring that the account is controlled by a valid user.

#0 - DrakeEvans

2022-09-06T13:39:24Z

duplicate #339

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter