Platform: Code4rena
Start Date: 14/10/2022
Pot Size: $100,000 USDC
Total HM: 12
Participants: 75
Period: 9 days
Judge: GalloDaSballo
Total Solo HM: 1
Id: 171
League: ETH
Rank: 11/75
Findings: 4
Award: $2,157.04
🌟 Selected for report: 0
🚀 Solo Findings: 0
0.3268 USDC - $0.33
LBToken._transfer() won't work properly when _from == _to.
Users can double their balances as they want by transferring the tokens to their accounts again.
As a result, the token will be useless.
Inside the _transfer(), it uses _fromBalance and _toBalance to update the balances after the transfer.
unchecked { _balances[_id][_from] = _fromBalance - _amount; _balances[_id][_to] = _toBalance + _amount; }
But it won't work properly when _from == to so users can increase their balance as they like.
I've created a test for the proof and you can copy the below code here and check the result.
vm.prank(BOB); pair.setApprovalForAll(DEV, true); pair.safeTransferFrom(BOB, BOB, _ids[0], amounts[0]); assertEq(pair.balanceOf(BOB, _ids[0]), 2 * amounts[0]);
We can see the balance is doubled when BOB transfers the entire tokens to BOB again.
Manual Review, Foundry
We can modify this part like below.
_balances[_id][_from] -= _amount; _balances[_id][_to] += _amount;
#0 - trust1995
2022-10-23T20:43:01Z
Great find!
#1 - GalloDaSballo
2022-10-26T16:35:40Z
#2 - c4-judge
2022-11-23T18:28:28Z
GalloDaSballo marked the issue as not a duplicate
#3 - c4-judge
2022-11-23T18:28:58Z
GalloDaSballo marked the issue as duplicate of #299
#4 - Simon-Busch
2022-12-05T06:38:30Z
Marked this issue as Satisfactory as requested by @GalloDaSballo
🌟 Selected for report: KIntern_NA
Also found by: Jeiwan, cccz, hansfriese
1876.8857 USDC - $1,876.89
It calculates the amountsIn wrongly here and the function returns the wrong result.
Currently, _getAmountsIn() calculates the amountsIn like below.
amountsIn[i - 1] = (_reserveIn * amountOut_ * 1_000) / (_reserveOut - amountOut_ * 997) + 1;
As we can see here, we should fix (_reserveOut - amountOut_ * 997) to ((_reserveOut - amountOut_) * 997).
Manual Review, Foundry
This line should be fixed like below.
amountsIn[i - 1] = (_reserveIn * amountOut_ * 1_000) / ((_reserveOut - amountOut_) * 997) + 1;
#0 - Shungy
2022-10-25T05:12:32Z
I believe this finding to be valid.
The math error do indeed exist. But this finding has skipped the impact of this issue. Will it simply cause revert? Will it result in loss of funds?
This duplicate goes more into detail: https://github.com/code-423n4/2022-10-traderjoe-findings/issues/400
#1 - GalloDaSballo
2022-10-26T16:40:06Z
#2 - c4-judge
2022-11-09T16:16:28Z
GalloDaSballo marked the issue as satisfactory
#3 - c4-judge
2022-11-16T22:00:10Z
GalloDaSballo marked the issue as not a duplicate
#4 - c4-judge
2022-11-16T22:00:16Z
GalloDaSballo marked the issue as duplicate of #400
🌟 Selected for report: 0xSmartContract
Also found by: Aymen0909, Dravee, Josiah, M4TZ1P, Mukund, Nyx, SooYa, catchup, cccz, chaduke, csanuragjain, djxploit, hansfriese, ladboy233, leosathya, pashov, rvierdiiev, sorrynotsorry, supernova, vv7, wagmi, zzykxx
0.006 USDC - $0.01
Judge has assessed an item in Issue #446 as M risk. The relevant finding follows:
[L-01] There should be an upper limit for LBFactory.flashLoanFee https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBFactory.sol#L66 https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBFactory.sol#L474 If the admin sets the flashLoanFee too high, the flash loan functionality might be useless as users won't use it.
#0 - c4-judge
2022-11-14T23:24:03Z
GalloDaSballo marked the issue as duplicate of #139
#1 - Simon-Busch
2022-12-05T06:31:10Z
Marked this issue as Satisfactory as requested by @GalloDaSballo
279.8109 USDC - $279.81
LBFactory.flashLoanFeeIf the admin sets the flashLoanFee too high, the flash loan functionality might be useless as users won't use it.
#0 - GalloDaSballo
2022-11-09T19:20:33Z
M-03
NC
L
#1 - GalloDaSballo
2022-11-14T23:23:45Z
1L 1NC
#2 - c4-judge
2022-11-16T21:08:52Z
GalloDaSballo marked the issue as grade-b