Cudos contest - csanuragjain's results

Decentralised cloud computing for Web3.

General Information

Platform: Code4rena

Start Date: 03/05/2022

Pot Size: $75,000 USDC

Total HM: 6

Participants: 55

Period: 7 days

Judge: Albert Chon

Total Solo HM: 2

Id: 116

League: COSMOS

Cudos

Findings Distribution

Researcher Performance

Rank: 21/55

Findings: 1

Award: $502.47

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Cudos

Findings Information

🌟 Selected for report: p_crypt0

Also found by: 0x1337, GermanKuber, IllIllI, WatchPug, csanuragjain, danb, dirk_y, kirk-baird

Labels

bug

duplicate

2 (Med Risk)

Awards

502.4722 USDC - $502.47

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-cudos/blob/main/solidity/contracts/Gravity.sol#L632

Vulnerability details

Impact

The reward tokens are not meant for Admins, but using withdrawERC20 function Admin can withdraw all reward tokens

Proof of Concept

Observe the withdrawERC20 function
Admin is allowed to withdraw any token including _newValset.rewardToken at Gravity.sol#L344.
Ideally Admin should not be allowed to withdraw _newValset.rewardToken

Recommended Mitigation Steps

Add a check in withdrawERC20 to fail the function if Admin tries to withdraw reward token

#0 - mlukanova
2022-05-10T14:31:49Z

Duplicate of #14

Cudos contest - csanuragjain's results

Decentralised cloud computing for Web3.

General Information

Findings Distribution

Researcher Performance

External Links

[M-02] Admin can withdraw reward token - $502.47

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - mlukanova2022-05-10T14:31:49Z

#0 - mlukanova
2022-05-10T14:31:49Z