Float Capital contest - evertkors's results

Synthetic assets made simple. No overcollateralization. No liquidation. Not a fork.

General Information

Platform: Code4rena

Start Date: 05/08/2021

Pot Size: $50,000 USDC

Total HM: 9

Participants: 16

Period: 7 days

Judge: 0xean

Total Solo HM: 4

Id: 22

League: ETH

Float Capital

Findings Distribution

Researcher Performance

Rank: 12/16

Findings: 2

Award: $646.39

🌟 Selected for report: 2

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Float Capital

Findings Information

🌟 Selected for report: evertkors

Also found by: loop

Labels

bug

1 (Low Risk)

sponsor confirmed

fixed-in-upstream-repo

Awards

351.1121 USDC - $351.11

External Links

Link to GitHub issue

Handle

evertkors

Vulnerability details

A lot of docstrings for marketIndex are @param marketIndex An int32 which uniquely identifies a market. but it is a uint32 not an int32

#0 - 0xean
2021-08-25T15:48:31Z

based on https://docs.code4rena.com/roles/wardens/judging-criteria#estimating-risk-tl-dr upgrading this to 1

Findings Information

🌟 Selected for report: evertkors

Labels

bug

duplicate

G (Gas Optimization)

sponsor disputed

Awards

249.7566 USDC - $249.76

External Links

Link to GitHub issue

Handle

evertkors

Vulnerability details

Impact

userAmountStaked[token][msg.sender] is read from storage twice on Staker.sol:925

Recommended Mitigation Steps

uint256 amountUser = userAmountStaked[token][msg.sender] require(amountUser > 0, "nothing to withdraw") _mintAccumulatedFloat(marketIndex, msg.sender); userAmountStaked[token][msg.sender] = amountUser - amount

#0 - JasoonS
2021-08-11T04:40:03Z

Unfortunately this is still needed. _mintAccumulatedFloatAndExecuteOutstandingShifts(marketIndex, msg.sender); modifies the userAmountStaked[token][msg.sender], so you do need to read that value again.

See below image:

#1 - JasoonS
2021-08-13T18:02:38Z

Verdict: given the code this optimization introduces a bug. Final code indeed only reads userAmountStaked once, but that is due to other optimizations.

#2 - JasoonS
2021-08-13T18:04:05Z

Not an exact duplicate of #25, #24 and #18 (different variable - but same optimization suggested -closing)

#3 - 0xean
2021-08-25T16:43:10Z

I am not sure where the divergence in code is here but the line that was reference by the warden is

require(userAmountStaked[token][msg.sender] > 0, "nothing to withdraw");
    _mintAccumulatedFloat(marketIndex, msg.sender);

    userAmountStaked[token][msg.sender] = userAmountStaked[token][msg.sender] - amount;

where the _mintAccumulatedFloat does not modify the userAmountStaked. Given this information, I am reopening the issue.

Float Capital contest - evertkors's results

Synthetic assets made simple. No overcollateralization. No liquidation. Not a fork.

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $351.11

Gas Report - $249.76

QA Report - $351.11

Gas Report - $249.76

🌟 [L-12] Docstring - $351.11

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

#0 - 0xean2021-08-25T15:48:31Z

🚀 [G-08] Internal _withdraw, reading from storage twice. - $249.76

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Recommended Mitigation Steps

#0 - JasoonS2021-08-11T04:40:03Z

#1 - JasoonS2021-08-13T18:02:38Z

#2 - JasoonS2021-08-13T18:04:05Z

#3 - 0xean2021-08-25T16:43:10Z

#0 - 0xean
2021-08-25T15:48:31Z

#0 - JasoonS
2021-08-11T04:40:03Z

#1 - JasoonS
2021-08-13T18:02:38Z

#2 - JasoonS
2021-08-13T18:04:05Z

#3 - 0xean
2021-08-25T16:43:10Z