Back to datapunk's contests

Olympus DAO contest - datapunk's results

Version 3 of Olympus protocol, a decentralized floating currency.

General Information

Platform: Code4rena

Start Date: 25/08/2022

Pot Size: $75,000 USDC

Total HM: 35

Participants: 147

Period: 7 days

Judge: 0xean

Total Solo HM: 15

Id: 156

League: ETH

Olympus DAO

Findings Distribution

Researcher Performance

Rank: 11/147

Findings: 6

Award: $2,234.65

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryOlympus DAO

Findings Information

🌟 Selected for report: hansfriese

Also found by: datapunk, itsmeSTYJ

Labels

bug
duplicate
2 (Med Risk)
disagree with severity
old-submission-method

Awards

514.4616 DAI - $514.46

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/modules/RANGE.sol#L272-L289

Vulnerability details

Impact

RANGE constructor does not validate inputs, which may result in unexpected cushion/walls

Proof of Concept

RANGE.sol#L272-L289

Tools Used

Add the following:

require(rangeParams[1]<rangeParams[2]) ;
require(rangeParams[0]>=100 && rangeParams[0]<=10000);
require(rangeParams[1]>=100 && rangeParams[1]<=10000);
require(rangeParams[2]>=100 && rangeParams[2]<=10000);

#0 - Oighty

2022-09-07T01:04:41Z

Duplicate. See comment on #379 .

#1 - 0xean

2022-09-19T14:19:08Z

closing as dupe of #379

Findings Information

🌟 Selected for report: okkothejawa

Also found by: Trust, datapunk, reassor

Labels

bug
duplicate
question
2 (Med Risk)
sponsor confirmed
old-submission-method

Awards

347.2615 DAI - $347.26

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/modules/TRSRY.sol#L75 https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/modules/TRSRY.sol#L92

Vulnerability details

Impact

pricefeed has different cutoffs for ohm and reserve

Proof of Concept

TRSRY.sol#L75 TRSRY.sol#L92

Tools Used

if this intentional, please explain rationale in comments. Otherwise, select a common cutoff.

#0 - ind-igo

2022-09-07T22:17:32Z

This issue description doesn't quite line up with the quoted source lines.

#1 - Oighty

2022-09-08T17:36:23Z

This is a duplicate of #391. The source code lines are to the TRSRY, but other issues have identified this in the PRICE contract.

#2 - 0xean

2022-09-19T13:20:04Z

closing as dupe

Findings Information

🌟 Selected for report: Trust

Also found by: 0xSky, datapunk, tonisives

Labels

bug
duplicate
2 (Med Risk)
old-submission-method

Awards

347.2615 DAI - $347.26

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/modules/TRSRY.sol#L75 https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/modules/TRSRY.sol#L92

Vulnerability details

Impact

TRSRY's withdrawApproval is used for two different purposes: to keep track of reserves for withdrawReserves and for loan taking in getLoan. In case a policy implements both functionalities, it would always do withdrawReserves to avoid incurring debt.

Proof of Concept

TRSRY.sol#L75 TRSRY.sol#L92

Tools Used

it would be best if there is a different variable that keeps track of loans, which is different from reserve contribution.

#0 - ind-igo

2022-09-07T19:40:06Z

Agreed, but this is a duplicate of another issue.

#1 - 0xean

2022-09-21T12:21:58Z

dupe of #75

Findings Information

🌟 Selected for report: rvierdiiev

Also found by: Jeiwan, Lambda, Trust, datapunk, devtooligan, itsmeSTYJ, zzzitron

Labels

bug
duplicate
2 (Med Risk)
sponsor confirmed
old-submission-method

Awards

113.9192 DAI - $113.92

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/policies/Heart.sol#L92

Vulnerability details

Impact

Assuming 5 beats were skipped. lastBeat = block.timestamp - 5 * freq() This allows 5 beat() calls sequentially, while getCurrentPrice may return prices of the same moment , which the actual MA might have moved a lot

Proof of Concept

Heart.sol#L92

Tools Used

interpolate the prices somehow from most recent available observations

#0 - Oighty

2022-09-07T21:41:22Z

See comments on #405 and #79

#1 - 0xean

2022-09-19T13:39:42Z

closing as dupe of #79

Findings Information

🌟 Selected for report: Jeiwan

Also found by: datapunk

Labels

bug
duplicate
2 (Med Risk)
sponsor disputed
old-submission-method

Awards

857.4359 DAI - $857.44

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/modules/INSTR.sol#L52

Vulnerability details

Impact

In kernel, Actions.ChangeExecutor/Actions.ChangeAdmin does not require ensureContract(instruction.target); while in INSTR, it is required.

Proof of Concept

INSTR.sol#L224-L228 Kernel.sol#L250-L253

Tools Used

make them consistent in kernel and INSTR. My sense is to go with kernel, so that EOAs are allowed to be executor and admin

#0 - ind-igo

2022-09-02T20:34:13Z

This is intended behavior.

#1 - 0xean

2022-09-20T00:48:57Z

dupe of #94

Findings Information

🌟 Selected for report: zzzitron

Also found by: 0x040, 0x1f8b, 0x52, 0x85102, 0xDjango, 0xNazgul, 0xNineDec, 0xSky, 0xSmartContract, 0xkatana, 8olidity, Aymen0909, Bahurum, BipinSah, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chandr, Chom, CodingNameKiki, Deivitto, DimSon, Diraco, ElKu, EthLedger, Funen, GalloDaSballo, Guardian, IllIllI, JansenC, Jeiwan, Lambda, LeoS, Margaret, MasterCookie, PPrieditis, PaludoX0, Picodes, PwnPatrol, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, StevenL, The_GUILD, TomJ, Tomo, Trust, Waze, __141345__, ajtra, ak1, apostle0x01, aviggiano, bin2chen, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, cccz, ch13fd357r0y3r, cloudjunky, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, devtooligan, dipp, djxploit, durianSausage, eierina, enckrish, erictee, fatherOfBlocks, gogo, grGred, hansfriese, hyh, ignacio, indijanc, itsmeSTYJ, ladboy233, lukris02, martin, medikko, mics, natzuu, ne0n, nxrblsrpr, okkothejawa, oyc_109, p_crypt0, pfapostol, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, sorrynotsorry, tnevler, tonisives, w0Lfrum, yixxas

Awards

54.3136 DAI - $54.31

Labels

bug
QA (Quality Assurance)
old-submission-method

External Links

Link to GitHub issue

QA: repeating code can be extracted into a function. These two function can be merged, thus allowing more flexible updates of MADuration and ObsFreq, ie, their updated values would not be constrained current MADuration and ObsFreq, as remainder is required to be 0

PRICE.sol#L246-L257 PRICE.sol#L272-L289

GAS: can revert earlier to save gas

INSTR.sol#L224-L228

GAS: endorseProposal may be called after proposal.submissionTimestamp + ACTIVATION_DEADLINE, however at this point, the proposal can no longer be activated, so it is better to revert the endorse

Governance.sol#L180

QA: It does not look reducingBy 0 actually do anything in these two lines?

Heart.sol#L92

QA: it is unclear to me the difference between marketCapacity and capacity in Side.

updateMarket does not use marketCapacity in any way except for emit. RANGE.sol#L215

QA: missing emits in setters. For example:

Kernel.sol#L76 Kernel.sol#L126 BondCallback.sol#L190

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter