Platform: Code4rena
Start Date: 05/08/2021
Pot Size: $50,000 USDC
Total HM: 9
Participants: 16
Period: 7 days
Judge: 0xean
Total Solo HM: 4
Id: 22
League: ETH
Rank: 9/16
Findings: 4
Award: $1,217.87
🌟 Selected for report: 1
🚀 Solo Findings: 0
139.9465 USDC - $139.95
hack3r-0m
initializeMarket can be called with different marketIndex each time while calling IStaker(staker).addNewStakingFund with the same parameters resulting in overriding of mapping in the staker contract and hence removing past staking funds.
latestMarket should be replaced with marketIndex in the above-marked code lines.
#0 - JasoonS
2021-08-12T06:06:02Z
Duplicate #9
1053.3363 USDC - $1,053.34
hack3r-0m
Consider the following state:
long_synth_balace = 300; short_synth_balace = 200;
marketUpdateIndex[1] = x; userNextPrice_currentUpdateIndex = 0; userNextPrice_syntheticToken_toShiftAwayFrom_marketSide[1][true] = 0; batched_amountSyntheticToken_toShiftAwayFrom_marketSide[1][true] = 0;
User calls shiftPositionFromLongNextPrice(marketIndex=1, amountSyntheticTokensToShift=100)
This results in following state changes:
long_synth_balace = 200; short_synth_balace = 200; userNextPrice_syntheticToken_toShiftAwayFrom_marketSide[1][true] = 100; batched_amountSyntheticToken_toShiftAwayFrom_marketSide[1][true] = 100; userNextPrice_currentUpdateIndex = x+1 ;
Due to some other transactions, oracle updates twice, and now the marketUpdateIndex[1] is x+2 and also updating price snapshots.
When User calls getUsersConfirmedButNotSettledSynthBalance(user, 1)
initial condition
if ( userNextPrice_currentUpdateIndex[marketIndex][user] != 0 && userNextPrice_currentUpdateIndex[marketIndex][user] <= currentMarketUpdateIndex )
will be true;
syntheticToken_priceSnapshot[marketIndex][isLong][currentMarketUpdateIndex] (https://github.com/hack3r-0m/2021-08-floatcapital/blob/main/contracts/contracts/LongShort.sol#L532)
this uses price of current x+2 th update while it should balance of accounting for price of x+1 th update.
#0 - JasoonS
2021-08-12T05:53:26Z
Yes good spot.
This function is view only, and is only used for view only purposes. The rest of the system will always operate correctly because it rather uses _executeOutstandingNextPriceSettlements than the getUsersConfirmedButNotSettledSynthBalance. Therefore I propose this as a 1 Low Risk vulnerability.
#1 - 0xean
2021-08-24T22:05:25Z
I am going to align with the 2 (Med Risk) severity. Reporting the incorrect position in a UI to a user could definitely lead unexpected loss of funds in a sharp market move where a user is intending on hedging elsewhere.
24.5798 USDC - $24.58
hack3r-0m
mark longShort,treasury,paymentToken,aToken,lendingPool,aaveIncentivesController and referralCode as immutable since they are only assigned in constructor and never re-assigned.
#0 - JasoonS
2021-08-12T06:07:37Z
Duplicate of #7
#1 - 0xean
2021-08-25T16:57:44Z
dupe of #53