Tigris Trade contest - francoHacker's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $90,500 USDC

Total HM: 35

Participants: 84

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 12

Id: 192

League: ETH

Tigris Trade

Findings Distribution

Researcher Performance

Rank: 78/84

Findings: 1

Award: $1.15

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Tigris Trade

Findings Information

🌟 Selected for report: 0xA5DF

Also found by: 0xA5DF, 0xNazgul, 0xSmartContract, 0xbepresent, 0xdeadbeef0x, 8olidity, Englave, Faith, HE1M, JohnnyTime, Madalad, Mukund, Ruhum, SmartSek, __141345__, aviggiano, carlitox477, cccz, chaduke, francoHacker, gz627, gzeon, hansfriese, hihen, imare, jadezti, kwhuo68, ladboy233, orion, peanuts, philogy, rbserver, wait, yjrwkk

Awards

1.1472 USDC - $1.15

Labels

bug

2 (Med Risk)

satisfactory

sponsor acknowledged

duplicate-377

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Trading.sol#L898-L975

Vulnerability details

Impact

The owner has many privileges in the contract: setBlockDelay, setAllowedVault, setMaxWinPorcent, setLimitOrdenPriceRange, setFees, setTradingExtension

Proof of Concept

  function setBlockDelay(
    uint _blockDelay
)
    external
    onlyOwner
{
    blockDelay = _blockDelay;
}

/**
 * @dev Whitelists a stablevault contract address
 * @param _stableVault StableVault address
 * @param _bool true if allowed
 */
function setAllowedVault(
    address _stableVault,
    bool _bool
)
    external
    onlyOwner
{
    allowedVault[_stableVault] = _bool;
}

/**
 * @dev Sets max payout % compared to margin
 * @param _maxWinPercent payout %
 */
function setMaxWinPercent(
    uint _maxWinPercent
)
    external
    onlyOwner
{
    maxWinPercent = _maxWinPercent;
}

/**
 * @dev Sets executable price range for limit orders
 * @param _range price range in %
 */
function setLimitOrderPriceRange(uint _range) external onlyOwner {
    limitOrderPriceRange = _range;
}

/**
 * @dev Sets the fees for the trading protocol
 * @param _open True if open fees are being set
 * @param _daoFees Fees distributed to the DAO
 * @param _burnFees Fees which get burned
 * @param _referralFees Fees given to referrers
 * @param _botFees Fees given to bots that execute limit orders
 * @param _percent Percent of earned funding fees going to StableVault
 */
function setFees(bool _open, uint _daoFees, uint _burnFees, uint _referralFees, uint _botFees, uint _percent) external onlyOwner {
    unchecked {
        require(_daoFees >= _botFees+_referralFees*2);
        if (_open) {
            openFees.daoFees = _daoFees;
            openFees.burnFees = _burnFees;
            openFees.referralFees = _referralFees;
            openFees.botFees = _botFees;
        } else {
            closeFees.daoFees = _daoFees;
            closeFees.burnFees = _burnFees;
            closeFees.referralFees = _referralFees;
            closeFees.botFees = _botFees;                
        }
        require(_percent <= DIVISION_CONSTANT);
        vaultFundingPercent = _percent;
    }
}

/**
 * @dev Sets the extension contract address for trading
 * @param _ext extension contract address
 */
function setTradingExtension(
    address _ext
) external onlyOwner() {
    tradingExtension = ITradingExtension(_ext);
}

// ===== EVENTS =====

event PositionOpened(
    TradeInfo _tradeInfo,
    uint _orderType,
    uint _price,
    uint _id,
    address _trader,
    uint _marginAfterFees
);

event PositionClosed(
    uint _id,
    uint _closePrice,
    uint _percent,
    uint _payout,
    address _trader,
    address _executor
);

event PositionLiquidated(
    uint _id,
    address _trader,
    address _executor
);

event LimitOrderExecuted(
    uint _asset,
    bool _direction,
    uint _openPrice,
    uint _lev,
    uint _margin,
    uint _id,
    address _trader,
    address _executor
);

event UpdateTPSL(
    uint _id,
    bool _isTp,
    uint _price,
    address _trader
);

event LimitCancelled(
    uint _id,
    address _trader
);

event MarginModified(
    uint _id,
    uint _newMargin,
    uint _newLeverage,
    bool _isMarginAdded,
    address _trader
);

event AddToPosition(
    uint _id,
    uint _newMargin,
    uint _newPrice,
    address _trader
);

event FeesDistributed(
    address _tigAsset,
    uint _daoFees,
    uint _burnFees,
    uint _refFees,
    uint _botFees,
    address _referrer
);

##tool used

manual

#0 - TriHaz
2023-01-09T16:57:09Z

We are aware of the centralization risks, initially, all contracts will have a multi-sig as owner to prevent a sole owner, later on a DAO could be the owner.

#1 - c4-sponsor
2023-01-09T16:57:16Z

TriHaz marked the issue as sponsor acknowledged

#2 - GalloDaSballo
2023-01-15T16:06:20Z

This in conjunction with #377 covers all "basic" admin privilege findings

#3 - c4-judge
2023-01-15T16:06:28Z

GalloDaSballo marked the issue as duplicate of #377

#4 - c4-judge
2023-01-22T17:34:46Z

GalloDaSballo marked the issue as satisfactory

Tigris Trade contest - francoHacker's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Findings Distribution

Researcher Performance

External Links

[M-12] Contract Owner Possesses Too Many Privileges - $1.15

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

#0 - TriHaz2023-01-09T16:57:09Z

#1 - c4-sponsor2023-01-09T16:57:16Z

#2 - GalloDaSballo2023-01-15T16:06:20Z

#3 - c4-judge2023-01-15T16:06:28Z

#4 - c4-judge2023-01-22T17:34:46Z

#0 - TriHaz
2023-01-09T16:57:09Z

#1 - c4-sponsor
2023-01-09T16:57:16Z

#2 - GalloDaSballo
2023-01-15T16:06:20Z

#3 - c4-judge
2023-01-15T16:06:28Z

#4 - c4-judge
2023-01-22T17:34:46Z