Back to hubble's contests

Anchor contest - hubble's results

The Benchmark DeFi Yield.

General Information

Platform: Code4rena

Start Date: 24/02/2022

Pot Size: $170,000 UST

Total HM: 15

Participants: 16

Period: 14 days

Judge: Albert Chon

Total Solo HM: 11

Id: 82

League: COSMOS

Anchor

Findings Distribution

Researcher Performance

Rank: 7/16

Findings: 2

Award: $7,300.23

🌟 Selected for report: 1

🚀 Solo Findings: 1

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAnchor

Findings Information

🌟 Selected for report: hubble

Labels

bug
2 (Med Risk)

Awards

5460.7624 USDC - $5,460.76

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/anchor-bAsset-contracts/contracts/anchor_basset_hub/src/config.rs#L90-L97

Vulnerability details

Updating the hub’s token contract address may lead to incorrect undelegation amounts

Impact

The hub contract allows config updates to the token_contract config values in anchor-bAsset-contracts/contracts/anchor_basset_hub/src/config.rs Such updates can cause wrong amounts of tokens to be calculated during processing of undelegations, since the amount of unbonded bLuna tokens is stored for batched unbonding as requested_with_fee.

Proof of Concept

Contract : anchor-bAsset-contracts/contracts/anchor_basset_hub/src/config.rs Function : pub fn execute_update_config(...) Line 90 :

    if let Some(token) = token_contract {
        let token_raw = deps.api.addr_canonicalize(token.as_str())?;

        CONFIG.update(deps.storage, |mut last_config| -> StdResult<Config> {
            last_config.token_contract = Some(token_raw);
            Ok(last_config)
        })?;
    }

Its recommended to remove the ability to update token_contract config value, or asserting that requested_with_fee is zero before allowing an update of the token_contract address

#0 - GalloDaSballo

2022-08-06T20:42:11Z

Looks like Admin Privilege so Med seems appropriate

Findings Information

🌟 Selected for report: hickuphh3

Also found by: 0xliumin, 0xwags, BondiPestControl, IllIllI, WatchPug, broccoli, cccz, cmichel, defsec, gzeon, hubble, robee

Labels

bug
QA (Quality Assurance)

Awards

1839.4668 USDC - $1,839.47

External Links

Link to GitHub issue

Title : Missing input validation for values which should not be greater than 1

Impact

Various contracts allow update to some config or parameter values which should be never greater than 1. The input validation for such a check is missing during these update functions. In the event such values of greater than 1 are accepted, then it may result in unpredictable behavior or panic.

Proof of Concept

Listed below some of these which should be checked. #1 Config : max_borrow_factor Contract : money-market-contracts/contracts/market/src/contract.rs Function : pub fn update_config(...) Line 321 :

    if let Some(max_borrow_factor) = max_borrow_factor {
        config.max_borrow_factor = max_borrow_factor;
    }

#2 Config : base_rate Contract : money-market-contracts/contracts/interest_model/src/contract.rs Function : pub fn update_config(...) Line 74 :

    if let Some(base_rate) = base_rate {
        config.base_rate = base_rate;
    }

#3 Config : interest_multiplier Contract : money-market-contracts/contracts/interest_model/src/contract.rs Function : pub fn update_config(...) Line 78 :

    if let Some(interest_multiplier) = interest_multiplier {
        config.interest_multiplier = interest_multiplier;
    }

Its recommended to add a check that the values for these configs are not more than 1.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter