Tigris Trade contest - gzeon's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $90,500 USDC

Total HM: 35

Participants: 84

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 12

Id: 192

League: ETH

Tigris Trade

Findings Distribution

Researcher Performance

Rank: 73/84

Findings: 2

Award: $12.84

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Tigris Trade

Findings Information

🌟 Selected for report: 0xA5DF

Also found by: 0xA5DF, 0xNazgul, 0xSmartContract, 0xbepresent, 0xdeadbeef0x, 8olidity, Englave, Faith, HE1M, JohnnyTime, Madalad, Mukund, Ruhum, SmartSek, __141345__, aviggiano, carlitox477, cccz, chaduke, francoHacker, gz627, gzeon, hansfriese, hihen, imare, jadezti, kwhuo68, ladboy233, orion, peanuts, philogy, rbserver, wait, yjrwkk

Awards

1.1472 USDC - $1.15

Labels

bug

2 (Med Risk)

satisfactory

duplicate-377

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L898-L905

Vulnerability details

Impact

The value of blockDelay is unbounded. With the widespread use of unchecked throughout the codebase this can cause unexpected behavior. For example, it might overflow here:

https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L858-L867

        unchecked {
            Delay memory _delay = blockDelayPassed[_id];
            if (_delay.actionType == _type) {
                blockDelayPassed[_id].delay = block.number + blockDelay;
            } else {
                if (block.number < _delay.delay) revert("0"); //Wait
                blockDelayPassed[_id].delay = block.number + blockDelay;
                blockDelayPassed[_id].actionType = _type;
            }
        }

and cause the delay not working as expected.

Proof of Concept

https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L898-L905

    function setBlockDelay(
        uint _blockDelay
    )
        external
        onlyOwner
    {
        blockDelay = _blockDelay;
    }

Recommended Mitigation Steps

Bound the max number of block delay, or remove the unchecked.

#0 - TriHaz
2022-12-23T02:28:59Z

Same as #17, would label as duplicate.

#1 - c4-judge
2022-12-23T17:35:42Z

GalloDaSballo marked the issue as duplicate of #321

#2 - c4-judge
2023-01-19T19:51:46Z

GalloDaSballo marked the issue as duplicate of #377

#3 - c4-judge
2023-01-22T17:35:00Z

GalloDaSballo marked the issue as satisfactory

Findings Information

🌟 Selected for report: rbserver

Also found by: 0x52, 0xDecorativePineapple, 0xdeadbeef0x, 8olidity, Jeiwan, Rolezn, __141345__, bin2chen, eierina, fs0c, gzeon, joestakey, koxuan, kwhuo68, ladboy233, rvierdiiev, yixxas

Awards

11.6941 USDC - $11.69

Labels

bug

2 (Med Risk)

satisfactory

duplicate-655

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/utils/TradingLibrary.sol#L113

Vulnerability details

Impact

Chainlink latestAnswer() is deprecated. It might return stale data or incomplete round answer.

Proof of Concept

https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/utils/TradingLibrary.sol#L113

            int256 assetChainlinkPriceInt = IPrice(_chainlinkFeed).latestAnswer();

Recommended Mitigation Steps

Check for stale price and round completeness using latestRoundData()

#0 - c4-judge
2022-12-22T00:20:23Z

GalloDaSballo marked the issue as duplicate of #655

#1 - GalloDaSballo
2022-12-22T00:20:34Z

Barely made it as dup of #655 because of mentioning stale data not being validate

#2 - c4-judge
2023-01-22T17:31:08Z

GalloDaSballo marked the issue as satisfactory

Tigris Trade contest - gzeon's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Findings Distribution

Researcher Performance

External Links

[M-12] Lack of bound for blockDelay - $1.15

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - TriHaz2022-12-23T02:28:59Z

#1 - c4-judge2022-12-23T17:35:42Z

#2 - c4-judge2023-01-19T19:51:46Z

#3 - c4-judge2023-01-22T17:35:00Z

[M-24] Stale data from oracle - $11.69

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - c4-judge2022-12-22T00:20:23Z

#1 - GalloDaSballo2022-12-22T00:20:34Z

#2 - c4-judge2023-01-22T17:31:08Z

#0 - TriHaz
2022-12-23T02:28:59Z

#1 - c4-judge
2022-12-23T17:35:42Z

#2 - c4-judge
2023-01-19T19:51:46Z

#3 - c4-judge
2023-01-22T17:35:00Z

#0 - c4-judge
2022-12-22T00:20:23Z

#1 - GalloDaSballo
2022-12-22T00:20:34Z

#2 - c4-judge
2023-01-22T17:31:08Z