Back to hack3r-0m's contests

Yield-Convex contest - hack3r-0m's results

Fixed-rate borrowing and lending on Ethereum

General Information

Platform: Code4rena

Start Date: 28/01/2022

Pot Size: $30,000 USDC

Total HM: 4

Participants: 22

Period: 3 days

Judge: GalloDaSballo

Total Solo HM: 2

Id: 80

League: ETH

Yield

Findings Distribution

Researcher Performance

Rank: 16/22

Findings: 1

Award: $69.12

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryYield

Findings Information

🌟 Selected for report: throttle

Also found by: 0x1f8b, TomFrenchBlockchain, WatchPug, cccz, defsec, hack3r-0m, hyh, kenzo, leastwood, sirhashalot, ye0lde

Labels

bug
duplicate
2 (Med Risk)

Awards

69.1238 USDC - $69.12

External Links

Link to GitHub issue

Handle

hack3r-0m

Vulnerability details

Location: https://github.com/code-423n4/2022-01-yield/blob/main/contracts/Cvx3CrvOracle.sol#L120-L122

DAI.latestRoundData returns data from the latest round, but there is no guarantee that the latest round happened frequently, it might be a case where latestRoundData has happened 1 hour or 1 day ago.

This can lead to stale data used for calculation and accounting.

Tools Used

Manual Review

(
    uint80 roundID, 
    int price,
    uint startedAt,
    uint timeStamp,
    uint80 answeredInRound
) = priceFeed.latestRoundData();

check that startedAt and timestamp are within certain permissible bounds (for e.g difference between current timestamp and latest round timestamp is not more than 1 hour)

#0 - alcueca

2022-02-02T17:00:32Z

Duplicate of #94

#1 - GalloDaSballo

2022-02-18T00:40:53Z

Duplicate of #136

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter