Back to hansfriese's contests

Canto Dex Oracle contest - hansfriese's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 07/09/2022

Pot Size: $20,000 CANTO

Total HM: 7

Participants: 65

Period: 1 day

Judge: 0xean

Total Solo HM: 3

Id: 159

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 18/65

Findings: 2

Award: $146.62

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: hickuphh3

Also found by: 0xNazgul, 0xSky, CertoraInc, Deivitto, Jeiwan, SinceJuly, hansfriese, linmiaomiao, rbserver

Labels

bug
duplicate
2 (Med Risk)

Awards

664.9949 CANTO - $107.40

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L582

Vulnerability details

Impact

During the token0TVL calculation, it divides by decimals without multiplying 1e18 first.

So there might be division loss and the price might be calculated wrongly.

Proof of Concept

When we calculate this part, it divides first without multiplying 1e18.

File: 2022-09-canto\src\Swap\BaseV1-periphery.sol
582:             uint token0TVL = assetReserves[i] * (prices[i] / decimals);

Tools Used

Solidity Visual Developer of VSCode

First, we can modify this part like below.

uint token0TVL = assetReserves[i] * prices[i] * 1e18 / decimals;
uint token1TVL = unitReserves[i] * 1e18; // price of the unit asset is always 1
LpPricesCumulative += (token0TVL + token1TVL) / supply[i];

Btw for the token0TVL calculation, I am not so sure there won't be any uint overflow and I think we can modify like below for safety.

uint token0TVL;

if(1e18 >= decimals) {
    uint diff = 1e18 / decimals;
    token0TVL = assetReserves[i] * prices[i] * diff;
}
else {
    uint diff = decimals / 1e18;
    token0TVL = assetReserves[i] * prices[i] / diff;
}   

uint token1TVL = unitReserves[i] * 1e18; // price of the unit asset is always 1
LpPricesCumulative += (token0TVL + token1TVL) / supply[i];

#0 - nivasan1

2022-09-09T17:40:46Z

duplicate #41

Findings Information

🌟 Selected for report: lukris02

Also found by: 0x040, 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xSky, Bnke0x0, Bronicle, CertoraInc, Chom, CodingNameKiki, Deivitto, Diraco, Dravee, EthLedger, IgnacioB, JC, JansenC, Jeiwan, R2, RaymondFam, ReyAdmirado, Rolezn, SinceJuly, TomJ, Tomo, Yiko, a12jmx, ajtra, ak1, codexploder, cryptphi, csanuragjain, erictee, fatherOfBlocks, gogo, hake, hansfriese, hickuphh3, ignacio, ontofractal, oyc_109, p_crypt0, pashov, peritoflores, rajatbeladiya, rbserver, rokinot, rvierdiiev, tnevler

Awards

242.8216 CANTO - $39.22

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Low Risk Issues

Wrong comment

30 minutes should be changed to periodSize because it can be changed by admin.

Non-critical Issues

Constants should be defined rather than using magic numbers

We can define constants like `DEFAULT_POINT = 8, DEFAULT_WINDOW = 1'

Typo

Change an to a.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter