Inverse Finance contest - cryptphi's results

Rethink the way you borrow.

General Information

Platform: Code4rena

Start Date: 25/10/2022

Pot Size: $50,000 USDC

Total HM: 18

Participants: 127

Period: 5 days

Judge: 0xean

Total Solo HM: 9

Id: 175

League: ETH

Inverse Finance

Findings Distribution

Researcher Performance

Rank: 93/127

Findings: 1

Award: $24.22

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Inverse Finance

Findings Information

🌟 Selected for report: adriro

Also found by: 8olidity, BClabs, CertoraInc, Chom, Franfran, Lambda, RaoulSchaffranek, Ruhum, codexploder, cryptphi, eierina, joestakey, kaden, neumo, pashov, rvierdiiev, sorrynotsorry

Awards

24.2165 USDC - $24.22

Labels

bug

2 (Med Risk)

satisfactory

duplicate-533

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L53 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L87-L88 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L121-L122 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L396 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L462 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L567

Vulnerability details

Impact

In an event where the Oracle contract operator sets the feed tokenDecimals value to 36 in Oracle.setFeed() , the call to Oracle.viewPrice would always return the non-scaled value of token price if feedDecimals is 0, since uint8 decimals = 36 - feedDecimals - tokenDecimals; in Oracle.getPrice() and Oracle.viewPrice() will output the value 0 , and uint normalizedPrice = price * (10 ** decimals); == feeds[token].feed.latestAnswer()

Due to this the following functions would revert since they will not be able to pass the require() checks; Market.borrowInternal() - https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L396 Market.withdrawInternal() - https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L462 Market.forceReplenish() - https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L567

Tools Used

Manual review

Recommended Mitigation Steps

Apply some value checks when setting the tokenDecimals for the token.

#0 - c4-judge
2022-11-05T19:58:12Z

0xean marked the issue as duplicate

#1 - c4-judge
2022-11-28T16:07:24Z

0xean marked the issue as not a duplicate

#2 - c4-judge
2022-11-28T16:07:32Z

0xean marked the issue as duplicate of #540

#3 - Simon-Busch
2022-12-05T15:33:04Z

Issue marked as satisfactory as requested by 0xean

#4 - c4-judge
2022-12-07T08:18:20Z

Simon-Busch marked the issue as duplicate of #533

Inverse Finance contest - cryptphi's results

Rethink the way you borrow.

General Information

Findings Distribution

Researcher Performance

External Links

[M-15] Possible reverts in Market functions due to Price issues - $24.22

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Tools Used

Recommended Mitigation Steps

#0 - c4-judge2022-11-05T19:58:12Z

#1 - c4-judge2022-11-28T16:07:24Z

#2 - c4-judge2022-11-28T16:07:32Z

#3 - Simon-Busch2022-12-05T15:33:04Z

#4 - c4-judge2022-12-07T08:18:20Z

#0 - c4-judge
2022-11-05T19:58:12Z

#1 - c4-judge
2022-11-28T16:07:24Z

#2 - c4-judge
2022-11-28T16:07:32Z

#3 - Simon-Busch
2022-12-05T15:33:04Z

#4 - c4-judge
2022-12-07T08:18:20Z