Back to hagrid's contests

Biconomy Hyphen 2.0 contest - hagrid's results

Next-Gen Multichain Relayer Protocol.

General Information

Platform: Code4rena

Start Date: 10/03/2022

Pot Size: $75,000 USDT

Total HM: 25

Participants: 54

Period: 7 days

Judge: pauliax

Total Solo HM: 10

Id: 97

League: ETH

Biconomy

Findings Distribution

Researcher Performance

Rank: 31/54

Findings: 3

Award: $277.69

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBiconomy

Findings Information

🌟 Selected for report: Jujic

Also found by: IllIllI, Ruhum, defsec, hagrid, minhquanym, shenwilly

Labels

bug
duplicate
2 (Med Risk)

Awards

99.257 USDT - $99.26

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-03-biconomy/blob/04751283f85c9fc94fb644ff2b489ec339cd9ffc/contracts/hyphen/LiquidityPool.sol#L149-L170

Vulnerability details

Vulnerability Details

The LiquidityPool.depositErc20 function takes a amount parameter but this parameter is not the actual transferred amount for fee-on-transfer / deflationary (or other rebasing) tokens.

Impact

The actual deposited amount might be lower than the specified amount of the function parameter. This would lead to wrong interest rate calculations on the principal.

Recommendation

Transfer the tokens first and compare pre-/after token balances to compute the actual deposited amount before emitting event and increasing the liquidity.

#0 - ankurdubey521

2022-03-30T15:49:32Z

Duplicate of #39

#1 - pauliax

2022-04-26T10:52:29Z

https://github.com/code-423n4/2022-03-biconomy-findings/issues/91#issuecomment-1109645407

Findings Information

🌟 Selected for report: hickuphh3

Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xngndev, 0xwags, Cantor_Dust, CertoraInc, Dravee, IllIllI, PPrieditis, Ruhum, TerrierLover, WatchPug, XDms, benk10, berndartmueller, bitbopper, catchup, cmichel, cryptphi, csanuragjain, danb, defsec, gzeon, hagrid, hubble, jayjonah8, kenta, kyliek, minhquanym, rfa, robee, saian, samruna, throttle, ye0lde, z3s

Awards

118.9599 USDT - $118.96

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Lack of Zero Address Check

Details

Input validation on address parameters checking for zero addresses is always recommended especially when they are used in token transfers.

There is a missing zero address checks on WhitelistPeriodManager:setLpToken function.

Recommendation

Perform zero address input validation on _lpToken parameter.

Findings Information

🌟 Selected for report: Dravee

Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xngndev, 0xwags, Cantor_Dust, CertoraInc, IllIllI, Jujic, Kenshin, Kiep, PPrieditis, TerrierLover, Tomio, WatchPug, antonttc, benk10, berndartmueller, bitbopper, csanuragjain, defsec, gzeon, hagrid, hickuphh3, kenta, minhquanym, oyc_109, pedroais, peritoflores, rfa, robee, saian, samruna, sirhashalot, throttle, wuwe1, z3s

Awards

59.466 USDT - $59.47

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

10 ** 18 can be changed to 1e18 and save some gas

Description

https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityProviders.sol#L27

uint256 public constant BASE_DIVISOR = 10**18;

can be changed to:

uint256 public constant BASE_DIVISOR = 1e18;

to optimise gas.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter