Back to hansfriese's contests

Juicebox V2 contest - hansfriese's results

The decentralized fundraising and treasury protocol.

General Information

Platform: Code4rena

Start Date: 01/07/2022

Pot Size: $75,000 USDC

Total HM: 17

Participants: 105

Period: 7 days

Judge: Jack the Pug

Total Solo HM: 5

Id: 143

League: ETH

Juicebox

Findings Distribution

Researcher Performance

Rank: 98/105

Findings: 2

Award: $18.28

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryJuicebox

Findings Information

🌟 Selected for report: 0xNineDec

Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xdanial, 0xf15ers, Cheeezzyyyy, Chom, Franfran, GalloDaSballo, Green, IllIllI, Meera, Ruhum, bardamu, cccz, codexploder, defsec, hake, hansfriese, horsefacts, hubble, hyh, jonatascm, kebabsec, oyc_109, pashov, rbserver, simon135, tabish, tintin, zzzitron

Awards

14.8726 USDC - $14.87

Labels

bug
duplicate
3 (High Risk)
valid

External Links

Link to GitHub issue

Lines of code

https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBChainlinkV3PriceFeed.sol#L44

Vulnerability details

Impact

Chainlink's latestRoundData might return stale or incorrect results

Proof of Concept

According to Chainlink documentation, there must be a check for stale prices.

It's a link of the same issue.

Tools Used

Solidity Visual Developer of VSCode

currentPrice() function should be modified like below. It's modified according to this one.

function currentPrice(uint256 _decimals) external view override returns (uint256) {
  // Get the latest round information. Only need the price is needed.
  (uint80 roundID, int256 _price, , uint256 timeStamp, answeredInRound) = feed.latestRoundData();

  require(
      timeStamp != 0,
      “ChainlinkOracle::getLatestAnswer: round is not complete”
  );
  require(
      answeredInRound >= roundID,
      “ChainlinkOracle::getLatestAnswer: stale data”
  );

  // Get a reference to the number of decimals the feed uses.
  uint256 _feedDecimals = feed.decimals();

  // Return the price, adjusted to the target decimals.
  return uint256(_price).adjustDecimals(_feedDecimals, _decimals);
}

#0 - mejango

2022-07-12T18:49:23Z

dup #138

Findings Information

🌟 Selected for report: horsefacts

Also found by: 0x1f8b, 0x29A, 0x52, 0xf15ers, AlleyCat, Ch_301, Chom, Franfran, IllIllI, Kaiziron, Limbooo, Meera, Ruhum, Sm4rty, apostle0x01, berndartmueller, cccz, cloudjunky, codexploder, cryptphi, delfin454000, durianSausage, fatherOfBlocks, hake, hansfriese, hyh, jonatascm, m_Rassska, oyc_109, peritoflores, rajatbeladiya, rbserver, svskaushik, zzzitron

Awards

3.4075 USDC - $3.41

Labels

bug
duplicate
2 (Med Risk)
valid

External Links

Link to GitHub issue

Lines of code

https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBERC20PaymentTerminal.sol#L99

Vulnerability details

Impact

ERC20.approve() missing return value check. Some tokens do not revert if the approval failed but return false instead. Tokens that don't perform the approve and return false are still counted as a correct approve.

Proof of Concept

The _beforeTransferTo() function performs an ERC20.approve() call but does not check the success return value.

There is the same issue for a past contest. https://github.com/code-423n4/2021-08-notional-findings/issues/67

Tools Used

Solidity Visual Developer of VSCode

We recommend using OpenZeppelin’s SafeERC20 versions with the safeIncreaseAllowance(), safeDecreaseAllowance() functions.

#0 - mejango

2022-07-12T18:57:52Z

dup #281

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter