Platform: Code4rena
Start Date: 04/03/2024
Pot Size: $88,500 USDC
Total HM: 31
Participants: 105
Period: 11 days
Judge: ronnyx2017
Total Solo HM: 7
Id: 342
League: ETH
Rank: 6/105
Findings: 2
Award: $1,620.06
π Selected for report: 1
π Solo Findings: 1
π Selected for report: cryptphi
1577.2848 USDC - $1,577.28
https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/transformers/AutoRange.sol#L276-L297
The AutoRange.configToken() function updates the state variable positionConfigs for a tokenId and callable by the owner of the tokenId. However, in the call to AutoRange.execute(), the state variable positionConfigs for the tokenid is used in setting the local variable PositionConfig memory config without any further check to ensure the config has been set by the current owner of the tokenId
This in some way could affect the swapcall on the token position such that the protocol does not receive any incentive.
configToken() to configure token to be used before calling executeWithVault()https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/transformers/AutoRange.sol#L276-L297
positionConfigs state variable for tokenId is set in configToken() by token owner.
function configToken(uint256 tokenId, address vault, PositionConfig calldata config) external { _validateOwner(tokenId, vault); // lower tick must be always below or equal to upper tick - if they are equal - range adjustment is deactivated if (config.lowerTickDelta > config.upperTickDelta) { revert InvalidConfig(); } positionConfigs[tokenId] = config;
After a while and eventually Alice no longer has any position on token and transfers the token to Bob.
Bob is another operator and calls executeWithVault(), the calls happen using the old token config set by Alice. https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/transformers/AutoRange.sol#L111-L116
positionConfigs[tokenId] set by a previous tokenId owner being used.
function execute(ExecuteParams calldata params) external { if (!operators[msg.sender] && !vaults[msg.sender]) { revert Unauthorized(); } ExecuteState memory state; PositionConfig memory config = positionConfigs[params.tokenId];
Manual
Using an enumerable set or additional mapping parameter to set the current owner in the positionConfigs state variable and an additional check in execute() to ensure the config was set by token owner.
Other
#0 - c4-pre-sort
2024-03-21T15:12:29Z
0xEVom marked the issue as duplicate of #370
#1 - c4-pre-sort
2024-03-21T15:12:32Z
0xEVom marked the issue as sufficient quality report
#2 - c4-pre-sort
2024-03-22T16:06:31Z
0xEVom marked the issue as not a duplicate
#3 - c4-pre-sort
2024-03-22T16:06:37Z
0xEVom marked the issue as duplicate of #55
#4 - c4-pre-sort
2024-03-22T16:12:15Z
0xEVom marked the issue as not a duplicate
#5 - kalinbas
2024-03-26T16:21:53Z
Position config is not reset when transfering a position to someone else, but the operator approval / approvalforall is reset. So the position cant be automated anymore, and if it is given approval the revert UI will also let the user set the new config. So this is valid but not a problem.
#6 - c4-sponsor
2024-03-26T16:21:57Z
kalinbas (sponsor) acknowledged
#7 - jhsagd76
2024-03-31T09:30:14Z
makes sense, and I also believe that frontend security checks are unreliable, so I'm still maintaining it as an M.
#8 - c4-judge
2024-03-31T09:30:21Z
jhsagd76 marked the issue as satisfactory
#9 - c4-judge
2024-04-01T15:33:46Z
jhsagd76 marked the issue as selected for report
π Selected for report: Bauchibred
Also found by: 0x11singh99, 0x175, 0xAlix2, 0xDemon, 0xGreyWolf, 0xPhantom, 0xspryon, 14si2o_Flint, Arabadzhiev, Aymen0909, Bigsam, BowTiedOriole, CRYP70, DanielArmstrong, FastChecker, JecikPo, KupiaSec, MohammedRizwan, Norah, Timenov, Topmark, VAD37, adeolu, btk, crypticdefense, cryptphi, givn, grearlake, jnforja, kennedy1030, kfx, ktg, lanrebayode77, n1punp, santiellena, stonejiajia, t4sk, thank_you, tpiliposian, wangxx2026, y0ng0p3, zaevlad
42.7786 USDC - $42.78
The leverageDown functions in LeverageTransformer contract are expected to be called by V3Vault. However, there is no access control to check that the caller is an authorized V3Vault address.
Due to this, it is possible for any user owned contract to be approved for erc20 tokens and steal tokens held in the contract https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/transformers/LeverageTransformer.sol#L165C9-L166C65
Manual
Add a check to ensure caller is approved vault address
ERC20
#0 - c4-pre-sort
2024-03-16T10:10:54Z
0xEVom marked the issue as duplicate of #366
#1 - c4-pre-sort
2024-03-18T09:14:48Z
0xEVom marked the issue as sufficient quality report
#2 - c4-pre-sort
2024-03-23T19:34:36Z
0xEVom marked the issue as not a duplicate
#3 - c4-pre-sort
2024-03-23T19:34:40Z
0xEVom marked the issue as insufficient quality report
#4 - 0xEVom
2024-03-23T19:35:00Z
LeverageTransformer does not hold any tokens.
#5 - c4-sponsor
2024-03-26T14:21:18Z
kalinbas (sponsor) disputed
#6 - c4-sponsor
2024-03-26T14:21:34Z
kalinbas (sponsor) acknowledged
#7 - c4-sponsor
2024-03-26T14:21:48Z
kalinbas marked the issue as disagree with severity
#8 - kalinbas
2024-03-26T14:24:26Z
Will add check for allow list of vault, but it is no risk because the contract doesn't hold any tokens.
#9 - jhsagd76
2024-03-29T00:42:22Z
I mark this as a Low, because there are many many same things in the mainnet dapps. Losses are always dust (even though by design we shouldn't have any tokens in this contract), so it's still something to be mindful of.
#10 - c4-judge
2024-03-29T00:42:35Z
jhsagd76 changed the severity to QA (Quality Assurance)
#11 - jhsagd76
2024-03-29T00:42:57Z
L-A
#12 - c4-judge
2024-03-29T00:43:01Z
jhsagd76 marked the issue as grade-a
#13 - kalinbas
2024-04-11T00:26:56Z