Back to dimitri's contests

LI.FI contest - dimitri's results

Bridge & DEX Aggregation.

General Information

Platform: Code4rena

Start Date: 24/03/2022

Pot Size: $75,000 USDC

Total HM: 15

Participants: 59

Period: 7 days

Judge: gzeon

Id: 103

League: ETH

LI.FI

Findings Distribution

Researcher Performance

Rank: 41/59

Findings: 2

Award: $177.72

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryLI.FI

Findings Information

🌟 Selected for report: hake

Also found by: 0v3rf10w, 0xDjango, 0xkatana, BouSalman, CertoraInc, Dravee, Hawkeye, IllIllI, JMukesh, Jujic, Kenshin, PPrieditis, Picodes, PranavG, Ruhum, SolidityScan, VAD37, WatchPug, aga7hokakological, catchup, csanuragjain, cthulhu_cult, defsec, dimitri, hickuphh3, hubble, hyh, kenta, kirk-baird, obront, peritoflores, rayn, robee, saian, samruna, shenwilly, shw, sorrynotsorry, tchkvsky, teryanarmen, ych18

Awards

116.1812 USDC - $116.18

Labels

bug
resolved
QA (Quality Assurance)

External Links

Link to GitHub issue
  1. The Natspec in LibAsset for transferERC20 says, on L76

Address to send ether to This should read something like "Address to send token to"

  1. Possible to leave funds in contract The general flows indicate that funds supposed to be moved into and out of these contracts in a single tx. However, in addition to the general possibility that someone sends some ERC20 to this contract, swap allows for a poorly constructed swap to transfer in more tokens than are used in the swap.

  2. Possible to trade with funds others have left in the contracts Given I can pass in any calldata to swap, I could trade with whatever tokens are in the contract at the time of me tx: it does not have to be fromAssetId and toAssetId.

  3. Given all of the above, AssetSwapped event log could end up being very misleading. I could trade with more than fromAmount and thus throw off the toAmount/toAmount ratio.

#0 - H3xept

2022-04-08T09:19:18Z

  1. / 3. / 4. Fixed in lifinance/lifi-contracts@4d66e5ad5f9a897d9f8a66eb7a4e765e0b6ff97c

Findings Information

🌟 Selected for report: Dravee

Also found by: 0v3rf10w, 0xDjango, 0xNazgul, 0xkatana, ACai, CertoraInc, FSchmoede, Funen, Hawkeye, IllIllI, Jujic, Kenshin, PPrieditis, Picodes, SolidityScan, TerrierLover, Tomio, WatchPug, catchup, csanuragjain, defsec, dimitri, hake, hickuphh3, kenta, minhquanym, obront, peritoflores, rayn, rfa, robee, saian, samruna, tchkvsky, teryanarmen, ych18

Awards

61.5429 USDC - $61.54

Labels

bug
G (Gas Optimization)
resolved

External Links

Link to GitHub issue

All occurrences of == true can be removed and 23 gas will be saved in each case, with entirely equivalent execution. Occurs in DexManagerFacet: L20, L34 Swapper: L16

#0 - H3xept

2022-04-08T15:23:56Z

Duplicate if #39

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter