Anchor contest - defsec's results

Lines of code

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L173

Vulnerability details

Impact

During the code review, It has been observed that the whitelisted token check is commented out. That will cause to user fund lost on the bridge. The related function only should allow white-listed tokens.

Proof of Concept

1. Navigate to the the following contract.

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L173

2. The following check is commented out.

    function handleStableToken(
        address token,
        uint256 amount,
        uint8 opCode
    ) internal {
        // Check that `token` is a whitelisted stablecoin token.
        // require(whitelistedStableTokens[token]);
        handleToken(token, amount, opCode);
    }

Tools Used

Code review

Recommended Mitigation Steps

Ensure that the whitelist check has been enabled on the related code section. Even if the user is going to lose funds, the bridge smart contract should be ensure that the token is white-listed.

Lines of code

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/overseer/src/contract.rs#L192

Vulnerability details

Impact

During the code review, It has been observed that reward calculation has been done with execute_epoch_operations function. However, the config are stored in the storage. When the anc_purchase_factor is updated by the owner, the execute_epoch_operations is not called.

Proof of Concept

1. Navigate to the following contract.

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/overseer/src/contract.rs#L192

2. Config is updated with update_config function.

    if let Some(threshold_deposit_rate) = threshold_deposit_rate {
        config.threshold_deposit_rate = threshold_deposit_rate;
    }

    if let Some(buffer_distribution_factor) = buffer_distribution_factor {
        config.buffer_distribution_factor = buffer_distribution_factor;
    }

    if let Some(anc_purchase_factor) = anc_purchase_factor {
        config.anc_purchase_factor = anc_purchase_factor;
    }

    if let Some(target_deposit_rate) = target_deposit_rate {
        config.target_deposit_rate = target_deposit_rate;
    }

    if let Some(epoch_period) = epoch_period {
        config.epoch_period = epoch_period;
    }

    if let Some(price_timeframe) = price_timeframe {
        config.price_timeframe = price_timeframe;
    }

3. After the update, execute_epoch_operations function is not called. That will cause to out-of-date data.

Tools Used

Code Review

Recommended Mitigation Steps

Consider calling execute_epoch_operations function after config update.

C4-001 : PREVENT DIV BY 0

Impact - LOW

On several locations in the code precautions are taken not to divide by 0, because this will revert the code. However on some locations this isn’t done.

Oracle price is not checked. That will cause to revert on the several functions.

Proof of Concept

1. Navigate to the following contract.

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/oracle/src/contract.rs#L172

Tools Used

None

Recommended Mitigation Steps

Recommend making sure division by 0 won’t occur by checking the variables beforehand and handling this edge case.

C4-002 : Coins can be lost which is not white-listed stable coin

Impact - LOW

Transmitted coins are filtered by the configured stable denomination in multiple places across the codebase, however any other coins sent are not returned to the sender. That leaves those other coins frozen to the contract.

Proof of Concept

1. Navigate to the following contract.

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/anchor-bAsset-contracts/contracts/anchor_basset_hub/src/contract.rs#L43

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/anchor-bAsset-contracts/contracts/anchor_basset_hub/src/bond.rs#L41

Tools Used

None

Recommended Mitigation Steps

Consider returning unused coins or reverting the transaction if unexpected coins are sent.

C4-003 : Initialize Function Does Not Have Enough Sanity Check

Impact - LOW

The Overseer contract is responsible for storing key protocol parameters and the whitelisting of new bAsset collaterals. The Overseer keeps track of locked collateral amounts and calculates the borrow limits for each user. The initialize function does not have any sanity check in the smart contract variables.

Proof of Concept

1. Navigate to the following contract.

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/overseer/src/contract.rs#L46

Tools Used

None

Recommended Mitigation Steps

The protocol considers to the variable is between 0 and 1. However, the sanity checks are not implemented. That will cause to arithmetic errors.

C4-004 : Missing zero-address check in the setter functions and initialize functions

Impact - LOW

Missing checks for zero-addresses may lead to broken functionality in the protocol, if the variable addresses are updated incorrectly.

Proof of Concept

1. Navigate to the following contracts.

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L152

Tools Used

Code Review

Recommended Mitigation Steps

Consider adding zero-address checks in the discussed constructors: require(newAddr != address(0));.

C4-005 : Previous Feeder Can Be Overwritten

Impact - LOW

The Oracle contract acts as the price source for the Anchor Money Market. Price sources are gaven as a resource with the feeders. With the register_feeder function, the existing feeder will be overwritten. Therefore, the code does not check existing feeder.

Proof of Concept

1. Navigate to the following contracts.

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/oracle/src/contract.rs#L76

Tools Used

Code Review

Recommended Mitigation Steps

Consider checking the existing feeder.

C4-006 : Empty String Can Be Inserted As a Whitelist

Impact - LOW

The Overseer contract is responsible for storing key protocol parameters and the whitelisting of new bAsset collaterals. The Overseer keeps track of locked collateral amounts and calculates the borrow limits for each user.

Proof of Concept

1. Navigate to the following contracts.

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/overseer/src/contract.rs#L245

Tools Used

Code Review

Recommended Mitigation Steps

Consider to trim and validate all String parameters before the state.

C4-007 : Critical changes should use two-step procedure

Impact - NON CRITICAL

The owner is the authorized user in the cosmwasm contracts. Usually, an owner can be updated with update_config function. However, the process is only completed with single transaction. If the address is updated incorrectly, an owner functionality will be lost forever.

Proof of Concept

1. Navigate to the following contracts.

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/oracle/src/contract.rs#L58

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/distribution_model/src/contract.rs#L79

Tools Used

Code Review

Recommended Mitigation Steps

Lack of two-step procedure for critical operations leaves them error-prone. Consider adding two step procedure on the critical functions.

C4-001 : Upgrade pragma to at least 0.8.4

Impact - Gas Optimization

Using newer compiler versions and the optimizer gives gas optimizations and additional safety checks are available for free.

The advantages of versions 0.8.* over <0.8.0 are:

• Safemath by default from 0.8.0 (can be more gas efficient than library based safemath.)
• Low level inliner : from 0.8.2, leads to cheaper runtime gas. Especially relevant when the contract has small functions. For example, OpenZeppelin libraries typically have a lot of small helper functions and if they are not inlined, they cost an additional 20 to 40 gas because of 2 extra jump instructions and additional stack operations needed for function calls.
• Optimizer improvements in packed structs: Before 0.8.3, storing packed structs, in some cases used an additional storage read operation. After EIP-2929, if the slot was already cold, this means unnecessary stack operations and extra deploy time costs. However, if the slot was already warm, this means additional cost of 100 gas alongside the same unnecessary stack operations and extra deploy time costs.
• Custom errors from 0.8.4, leads to cheaper deploy time cost and run time cost. Note: the run time cost is only relevant when the revert condition is met. In short, replace revert strings by custom errors.

Proof of Concept

1. The contest repository contracts contain floating pragma 0.8.0. The contracts pragma version can be updated to 0.8.4 for the gas optimization.

• https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L2

All Contracts

Tools Used

None

Recommended Mitigation Steps

Consider to upgrade pragma to at least 0.8.4.

C4-002 : ++i is more gas efficient than i++ in loops forwarding

Impact

++i is more gas efficient than i++ in loops forwarding.

Proof of Concept

1. Navigate to the following contracts.

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L149

Tools Used

Code Review

Recommended Mitigation Steps

It is recommend to use unchecked{++i} and change i declaration to uint256.

C4-003 : Cache array length in for loops can save gas

Impact

Reading array length at each iteration of the loop takes 6 gas (3 for mload and 3 to place memory_offset) in the stack.

Caching the array length in the stack saves around 3 gas per iteration.

Proof of Concept

1. Navigate to the following smart contract line.

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L149

Tools Used

None

Recommended Mitigation Steps

Consider to cache array length.

C4-004 : Redundant Code

Impact

The several code sections are redundant. The variable/structs should be deleted for the gas optimization if It is not used.

Proof of Concept

1. Navigate to the following smart contract line.

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L19

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L26

2. Struct Signature and VM is not used.

Tools Used

None

Recommended Mitigation Steps

Consider removing the unused function/structs which is not used.