Back to cryptphi's contests

Nested Finance contest - cryptphi's results

The one-stop Defi app to build, manage and monetize your portfolio.

General Information

Platform: Code4rena

Start Date: 15/06/2022

Pot Size: $35,000 USDC

Total HM: 1

Participants: 36

Period: 3 days

Judge: Jack the Pug

Total Solo HM: 1

Id: 137

League: ETH

Nested Finance

Findings Distribution

Researcher Performance

Rank: 24/36

Findings: 1

Award: $81.82

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNested Finance

Findings Information

🌟 Selected for report: 0xNazgul

Also found by: 0xDjango, 0xFar5eer, 0xf15ers, BowTiedWardens, Chom, Dravee, IllIllI, Meera, MiloTruck, PierrickGT, TerrierLover, _Adam, cccz, codexploder, cryptphi, delfin454000, fatherOfBlocks, hansfriese, joestakey, oyc_109, simon135

Awards

81.8216 USDC - $81.82

Labels

bug
disagree with severity
QA (Quality Assurance)
valid

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-nested/blob/main/contracts/Withdrawer.sol#L26

Vulnerability details

Impact

The Withdrawer contract has a function withdraw() which calls an unsafe transferFrom(). A call to transferFrom is frequently done without checking the results. For certain ERC20 tokens, if insufficient tokens are present, no revert occurs but a result of "false" is returned. As explained in https://consensys.net/diligence/audits/2021/01/fei-protocol/#unchecked-return-value-for-iweth-transfer-call

And in this function case, if the weth.transferFrom() returns false, it would continue the call to withdraw token from the contract and send it to the caller. Thus a user could withdraw free tokens, and eventually some users will be unable to withdraw their tokens.

Proof of Concept

https://github.com/code-423n4/2022-06-nested/blob/main/contracts/Withdrawer.sol#L26

  1. Alice calls Withdrawer.withdraw() with 100 as input.
  2. Assume weth.transferFrom() fails, returns false but does not revert.
  3. weth.withdraw() will run since there was no revert.
  4. Alice receives 100 eth for free.

This may be possible in a direct call by Alice or a call from YearnCurveVaultOperator contract in https://github.com/code-423n4/2022-06-nested/blob/main/contracts/operators/Yearn/YearnCurveVaultOperator.sol#L81

Tools Used

Manual review

Check the result of transferFrom and transfer. Or making use of SafeERC20 library: safeTransfer and safeTransferFrom would be recommended

#0 - kartoonjoy

2022-06-17T17:13:35Z

Per warden cryptphi, items 1-4, etc need to be added to the PoC section.

#1 - Yashiru

2022-06-24T12:48:52Z

Unchecked return value of transferFrom can allow a user to withdraw native token for free (Duplicated)

Duplicated of #24 at Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom

Disagree with severity, must be a QA because Alice can't call Withdrawer.withdraw() via the Yearn operator without providing her funds from the NestedReserve to the NestedFactory.

NestedFactory does not have any funds.

#2 - jack-the-pug

2022-07-12T02:34:39Z

Will downgrade to QA as the pre-condition for the High severity won't stand

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter