Ajna Protocol - evmboi32's results

A peer to peer, oracleless, permissionless lending protocol with no governance, accepting both fungible and non fungible tokens as collateral.

General Information

Platform: Code4rena

Start Date: 03/05/2023

Pot Size: $60,500 USDC

Total HM: 25

Participants: 114

Period: 8 days

Judge: Picodes

Total Solo HM: 6

Id: 234

League: ETH

Ajna Protocol

Findings Distribution

Researcher Performance

Rank: 96/114

Findings: 1

Award: $34.02

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Ajna Protocol

Findings Information

🌟 Selected for report: 0xTheC0der

Also found by: DadeKuma, Haipls, SpicyMeatball, ToonVH, aviggiano, azhar, evmboi32, juancito, kodyvim, ro1sharkm, rvierdiiev, sakshamguruji

Labels

bug

3 (High Risk)

partial-50

sponsor confirmed

upgraded by judge

duplicate-488

Awards

34.0183 USDC - $34.02

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/PositionManager.sol#L170-L216 https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/RewardsManager.sol#L207-L260

Vulnerability details

Impact

A malicious actor can force a staker to stake more memorializePositions than intended if the victim has approved tokens to PositionManager.

Proof of Concept

Bob (malicious actor) can front-run the stake function call from Alice and force her to stake more memorializePositions than she intended.

1.) Alice approves a position from bucket i and bucket j to the PositionManager
2.) She calls memorializePositions with tokenId x and provides only i in the params_.indexes array array.
3.) She decides to call stake on the RewardsManager for the token x
4.) Bob sees her tx in the mempool and frontruns it with the call to memorializePositions where he provides x as the tokenId value and j as the value params_.indexes array
5.) Alice now stakes more than she intended. To fix this she needs to unstake, redeem the unwanted j position and stake again. Since ETH fees are expensive this can cost quite a lot.

Tools Used

VS Code

Recommended Mitigation Steps

Add a mayInteract modifier to the memorializePositions function call.

Assessed type

Access Control

#0 - c4-judge
2023-05-18T09:42:42Z

Picodes marked the issue as primary issue

#1 - c4-sponsor
2023-05-19T19:36:48Z

MikeHathaway marked the issue as sponsor confirmed

#2 - c4-judge
2023-05-30T21:47:21Z

Picodes marked the issue as duplicate of #488

#3 - c4-judge
2023-05-30T21:47:25Z

Picodes marked the issue as satisfactory

#4 - c4-judge
2023-05-30T21:47:30Z

Picodes marked the issue as partial-50

#5 - c4-judge
2023-05-30T21:48:18Z

Picodes changed the severity to 3 (High Risk)

Ajna Protocol - evmboi32's results

A peer to peer, oracleless, permissionless lending protocol with no governance, accepting both fungible and non fungible tokens as collateral.

General Information

Findings Distribution

Researcher Performance

External Links

[H-03] Malicious actor can force a staker to stake more memorializePositions than intended - $34.02

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-judge2023-05-18T09:42:42Z

#1 - c4-sponsor2023-05-19T19:36:48Z

#2 - c4-judge2023-05-30T21:47:21Z

#3 - c4-judge2023-05-30T21:47:25Z

#4 - c4-judge2023-05-30T21:47:30Z

#5 - c4-judge2023-05-30T21:48:18Z

#0 - c4-judge
2023-05-18T09:42:42Z

#1 - c4-sponsor
2023-05-19T19:36:48Z

#2 - c4-judge
2023-05-30T21:47:21Z

#3 - c4-judge
2023-05-30T21:47:25Z

#4 - c4-judge
2023-05-30T21:47:30Z

#5 - c4-judge
2023-05-30T21:48:18Z