Back to hake's contests

Canto Dex Oracle contest - hake's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 07/09/2022

Pot Size: $20,000 CANTO

Total HM: 7

Participants: 65

Period: 1 day

Judge: 0xean

Total Solo HM: 3

Id: 159

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 33/65

Findings: 1

Award: $39.22

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: lukris02

Also found by: 0x040, 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xSky, Bnke0x0, Bronicle, CertoraInc, Chom, CodingNameKiki, Deivitto, Diraco, Dravee, EthLedger, IgnacioB, JC, JansenC, Jeiwan, R2, RaymondFam, ReyAdmirado, Rolezn, SinceJuly, TomJ, Tomo, Yiko, a12jmx, ajtra, ak1, codexploder, cryptphi, csanuragjain, erictee, fatherOfBlocks, gogo, hake, hansfriese, hickuphh3, ignacio, ontofractal, oyc_109, p_crypt0, pashov, peritoflores, rajatbeladiya, rbserver, rokinot, rvierdiiev, tnevler

Awards

242.8216 CANTO - $39.22

Labels

bug
QA (Quality Assurance)
sponsor disputed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L531-L532

Vulnerability details

Impact and Proof of Concept

Relying on decimals() might lead some tokens not being able to have their price converted because decimals() is not a mandatory and is absent from many ERC20 tokens.

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L531-L532

        uint decimals = 10 ** token.decimals(); // get decimals of token

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L543-L544

        uint decimals = 10 ** token.decimals();

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L560-L577

decimals = 10 ** (erc20(token1).decimals()); // we must normalize the price of token1 to 18 decimals
                prices = pair.sample(token1, decimals, 8, 1);
                (unitReserves, assetReserves) = pair.sampleReserves(8, 1);
            } else {
                decimals = 10 ** (erc20(token0).decimals());
                prices = pair.sample(token0, decimals, 8, 1);
                (assetReserves, unitReserves) = pair.sampleReserves(8, 1);
            }
        } else { // non-stable pairs will be priced in terms of Canto
            if (token0 == address(wcanto)) { // token0 is Canto, and the unit asset of this pair is Canto
                decimals = 10 ** (erc20(token1).decimals());
                prices = pair.sample(token1, decimals, 8, 1);
                (unitReserves, assetReserves) = pair.sampleReserves(8, 1);
            } else {
                decimals = 10 ** (erc20(token0)).decimals();
                prices = pair.sample(token0, decimals, 8, 1);
                (assetReserves, unitReserves) = pair.sampleReserves(8, 1);
            }

Either: Do not rely on decimals() for all tokens. Make sure all tokens being interacted with have decimals() implemented.

#0 - nivasan1

2022-09-10T16:28:09Z

All cTokens passed to getUnderlyingPrice will be supported by the Comptroller, and will implement the erc20 interface defined in BaseV1-libs, as such, they must implement the decimals method.

#1 - 0xean

2022-09-12T14:31:06Z

downgrading to QA as this is controlled via governance.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter