Abracadabra Mimswap - hassan-truscova's results

General Information

Platform: Code4rena

Start Date: 07/03/2024

Pot Size: $63,000 USDC

Total HM: 20

Participants: 36

Period: 5 days

Judge: cccz

Total Solo HM: 11

Id: 349

League: BLAST

Abracadabra Money

Findings Distribution

Researcher Performance

Rank: 33/36

Findings: 1

Award: $15.33

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Abracadabra Money

Findings Information

🌟 Selected for report: ether_sky

Also found by: 0x11singh99, 0xE1, 0xJaeger, Bauchibred, Bigsam, Bozho, Breeje, DarkTower, HChang26, SpicyMeatball, Trust, ZanyBonzy, albahaca, bareli, blutorque, grearlake, hals, hassan-truscova, hihen, oualidpro, pfapostol, ravikiranweb3, slvDev, zhaojie

Awards

15.328 USDC - $15.33

Labels

bug

downgraded by judge

grade-b

QA (Quality Assurance)

sponsor disputed

sufficient quality report

:robot:_40_group

Q-14

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-abracadabra-money/blob/main/src/blast/BlastOnboarding.sol#L214-L216 https://github.com/code-423n4/2024-03-abracadabra-money/blob/main/src/blast/BlastOnboarding.sol#L132-L141

Vulnerability details

Impact

It may discourage people from purchasing the token because you may suspend the withdraw functionality at any point. The users will be unsure if the pause will be lifted after a certain period of time.

Proof of Concept

    function pause() external onlyOwner {
        _pause();
    }

    function withdraw(address token, uint256 amount) external whenNotPaused onlySupportedTokens(token) {
        balances[msg.sender][token].unlocked -= amount;
        balances[msg.sender][token].total -= amount;
        totals[token].unlocked -= amount;
        totals[token].total -= amount;


        token.safeTransfer(msg.sender, amount);


        emit LogWithdraw(msg.sender, token, amount);
    }

Tools Used

manual + in-house

Recommended Mitigation Steps

Implement Timelock for Pause: Introduce a time-delay mechanism for the pause function, giving users ample time to respond and adjust their positions before the contract is paused.
Emergency Withdraw Function: Add an emergency function to allow users to withdraw their funds even when the contract is paused. This function should be carefully designed to prevent exploitation while still providing a safe exit for users' funds.

Assessed type

Other

#0 - 0xm3rlin
2024-03-15T01:00:04Z

intended behavior

#1 - c4-pre-sort
2024-03-15T13:03:40Z

141345 marked the issue as sufficient quality report

#2 - 141345
2024-03-15T13:03:55Z

need timelock for pause withdraw QA is more appropriate

#3 - c4-sponsor
2024-03-28T17:12:12Z

0xCalibur (sponsor) disputed

#4 - c4-judge
2024-03-29T14:44:22Z

thereksfour changed the severity to QA (Quality Assurance)

#5 - c4-judge
2024-03-29T16:51:33Z

thereksfour marked the issue as grade-c

#6 - c4-judge
2024-04-05T17:35:54Z

thereksfour marked the issue as grade-b

Abracadabra Mimswap - hassan-truscova's results

General Information

Findings Distribution

Researcher Performance

External Links

[Q-14] QA Report - $15.33

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - 0xm3rlin2024-03-15T01:00:04Z

#1 - c4-pre-sort2024-03-15T13:03:40Z

#2 - 1413452024-03-15T13:03:55Z

#3 - c4-sponsor2024-03-28T17:12:12Z

#4 - c4-judge2024-03-29T14:44:22Z

#5 - c4-judge2024-03-29T16:51:33Z

#6 - c4-judge2024-04-05T17:35:54Z

#0 - 0xm3rlin
2024-03-15T01:00:04Z

#1 - c4-pre-sort
2024-03-15T13:03:40Z

#2 - 141345
2024-03-15T13:03:55Z

#3 - c4-sponsor
2024-03-28T17:12:12Z

#4 - c4-judge
2024-03-29T14:44:22Z

#5 - c4-judge
2024-03-29T16:51:33Z

#6 - c4-judge
2024-04-05T17:35:54Z