Back to gogo's contests

Swivel v3 contest - gogo's results

The Capital-Efficient Protocol For Fixed-Rate Lending.

General Information

Platform: Code4rena

Start Date: 12/07/2022

Pot Size: $35,000 USDC

Total HM: 13

Participants: 78

Period: 3 days

Judge: 0xean

Total Solo HM: 6

Id: 135

League: ETH

Swivel

Findings Distribution

Researcher Performance

Rank: 59/78

Findings: 1

Award: $44.28

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySwivel

Findings Information

🌟 Selected for report: joestakey

Also found by: 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 8olidity, Avci, Bahurum, Bnke0x0, Chom, ElKu, Funen, GimelSec, JC, Junnon, Kaiziron, Meera, PaludoX0, Picodes, ReyAdmirado, Sm4rty, Soosh, Waze, _Adam, __141345__, ak1, aysha, benbaessler, bin2chen, c3phas, cccz, cryptphi, csanuragjain, defsec, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, itsmeSTYJ, jonatascm, kyteg, mektigboy, oyc_109, pashov, rbserver, rishabh, robee, rokinot, sach1r0, sashik_eth, scaraven, simon135, slywaters

Awards

44.2827 USDC - $44.28

Labels

bug
QA (Quality Assurance)
sponsor disputed
wontfix

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-swivel/blob/main/Tokens/Erc20.sol#L78-L84

Vulnerability details

Impact

А possible attack scenario:

  • Alice allows Bob to transfer N of Alice's tokens (N>0) by calling the approve method on a Token smart contract,
    passing the Bob's address and N as the method arguments
  • After some time, Alice decides to change from N to M (M>0) the number of Alice's tokens Bob is allowed to transfer,
    so she calls the approve method again, this time passing the Bob's address and M as the method arguments
  • Bob notices the Alice's second transaction before it was mined and quickly sends another transaction
    that calls the transferFrom method to transfer N Alice's tokens somewhere
  • If the Bob's transaction will be executed before the Alice's transaction,
    then Bob will successfully transfer N Alice's tokens and will gain an ability to transfer another M tokens
  • Before Alice noticed that something went wrong, Bob calls the transferFrom method again, this time to transfer M Alice's tokens.

So, an Alice's attempt to change the Bob's allowance from N to M (N>0 and M>0) made it possible for Bob to transfer N+M of Alice's tokens,
while Alice never wanted to allow so many of her tokens to be transferred by Bob.

Proof of Concept

File: /Tokens/Erc20.sol

78    function approve(address spender, uint256 amount) public virtual returns (bool) {
79        allowance[msg.sender][spender] = amount;
80
81        emit Approval(msg.sender, spender, amount);
82
83        return true;
84    }

https://github.com/code-423n4/2022-07-swivel/blob/main/Tokens/Erc20.sol#L78-L84

Tools Used

editor

Add decreaseAllowance and increaseAllowance functions on the custom ERC20 implementation.

#0 - JTraversa

2022-07-20T07:35:34Z

Never been a fan of these reports, but i'll leave it to the judges. We just used the minimalistic solmate ERC20 implementation and in general the increase/decrease isnt a factor for our zcToken in comparison to approve.

#1 - bghughes

2022-07-31T21:05:17Z

Never been a fan of these reports, but i'll leave it to the judges. We just used the minimalistic solmate ERC20 implementation and in general the increase/decrease isnt a factor for our zcToken in comparison to approve.

Agreed, this is QA at best IMO and the user is referencing an idea that applies to ERC20 globally

#2 - bghughes

2022-07-31T21:07:42Z

Warden did not submit QA so this will act as their primary QA report.

#3 - robrobbins

2022-08-31T01:00:06Z

may as well label this

"Use of ERC20"

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter