Back to csanuragjain's contests

Asymmetry contest - csanuragjain's results

A protocol to help diversify and decentralize liquid staking derivatives.

General Information

Platform: Code4rena

Start Date: 24/03/2023

Pot Size: $49,200 USDC

Total HM: 20

Participants: 246

Period: 6 days

Judge: Picodes

Total Solo HM: 1

Id: 226

League: ETH

Asymmetry Finance

Findings Distribution

Researcher Performance

Rank: 94/246

Findings: 2

Award: $42.60

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAsymmetry Finance

Findings Information

🌟 Selected for report: rbserver

Also found by: 0xAgro, DadeKuma, DeStinE21, HollaDieWaldfee, IgorZuk, J4de, P7N8ZK, Parad0x, Stiglitz, bytes032, carrotsmuggler, csanuragjain, dec3ntraliz3d, kaden, koxuan, lukris02, rvierdiiev, tnevler

Awards

29.4683 USDC - $29.47

Labels

bug
3 (High Risk)
partial-50
upgraded by judge
duplicate-703

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L182

Vulnerability details

Impact

If admin mistakenly adds a incorrect derivative contract, then all major contract functionality will permanently fail and User funds will stuck permanently

Proof of Concept

  1. Admin wants to add a new derivative using addDerivative function
function addDerivative(
        address _contractAddress,
        uint256 _weight
    ) external onlyOwner {
        derivatives[derivativeCount] = IDerivative(_contractAddress);
        weights[derivativeCount] = _weight;
        derivativeCount++;
        ...
    }
  1. Admin wants to use contract address as 0xabc but mistakenly uses 0xabd
  2. A new derivative with contract address 0xabd gets created
  3. After sometime Admin wants to rebalance weights using rebalanceToWeights which fails since derivatives[i].balance() does not exist for 0xabd contract
function rebalanceToWeights() external onlyOwner {
        uint256 ethAmountBefore = address(this).balance;
        for (uint i = 0; i < derivativeCount; i++) {
            if (derivatives[i].balance() > 0)
                derivatives[i].withdraw(derivatives[i].balance());
        }
...
}
  1. Similarly user stake and unstake operation also fails due to same reason
function unstake(uint256 _safEthAmount) external {
        ...

        for (uint256 i = 0; i < derivativeCount; i++) {
            // withdraw a percentage of each asset based on the amount of safETH
            uint256 derivativeAmount = (derivatives[i].balance() *
                _safEthAmount) / safEthTotalSupply;
            if (derivativeAmount == 0) continue; // if derivative empty ignore
            derivatives[i].withdraw(derivativeAmount);
        }

Allow admin to remove a derivative, which will prevent such scenarios

#0 - c4-pre-sort

2023-04-04T19:46:52Z

0xSorryNotSorry marked the issue as duplicate of #709

#1 - c4-judge

2023-04-23T12:02:53Z

Picodes marked the issue as duplicate of #703

#2 - c4-judge

2023-04-24T19:36:09Z

Picodes changed the severity to 3 (High Risk)

#3 - c4-judge

2023-04-24T21:23:19Z

Picodes marked the issue as satisfactory

#4 - c4-judge

2023-04-24T21:23:24Z

Picodes marked the issue as partial-50

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter