Back to hubble's contests

LI.FI contest - hubble's results

Bridge & DEX Aggregation.

General Information

Platform: Code4rena

Start Date: 24/03/2022

Pot Size: $75,000 USDC

Total HM: 15

Participants: 59

Period: 7 days

Judge: gzeon

Id: 103

League: ETH

LI.FI

Findings Distribution

Researcher Performance

Rank: 51/59

Findings: 1

Award: $113.58

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryLI.FI

Findings Information

🌟 Selected for report: hake

Also found by: 0v3rf10w, 0xDjango, 0xkatana, BouSalman, CertoraInc, Dravee, Hawkeye, IllIllI, JMukesh, Jujic, Kenshin, PPrieditis, Picodes, PranavG, Ruhum, SolidityScan, VAD37, WatchPug, aga7hokakological, catchup, csanuragjain, cthulhu_cult, defsec, dimitri, hickuphh3, hubble, hyh, kenta, kirk-baird, obront, peritoflores, rayn, robee, saian, samruna, shenwilly, shw, sorrynotsorry, tchkvsky, teryanarmen, ych18

Awards

113.5781 USDC - $113.58

Labels

bug
sponsor disputed
QA (Quality Assurance)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/AnyswapFacet.sol#L35-L53 https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/AnyswapFacet.sol#L145

Vulnerability details

Impact

In the event that startBridgeTokensViaAnyswap is called with token address (in _anyswapData.token) wrongly set to 0, the amount/msg.value used to swap/bridge using AnySwap is sent to the Contract address since this function is payable , and user may not be able to recover the amount on their own.

Proof of Concept

Contract : AnyswapFacet.sol In function startBridgeTokensViaAnyswap , if _anyswapData.token is set to 0, the msg.value is compared to _anyswapData.amount, and then _startBridge(_anyswapData) is further called.

In _startBridge(_anyswapData) function, if the _anyswapData.token is 0, there is no further check and the function succeeds without any error.

In function _startBridge(_anyswapData) , have a revert statement if _anyswapData.token is 0 , by adding an else part of the line#145 if (_anyswapData.token != address(0)) ...

#0 - maxklenk

2022-03-31T12:43:52Z

If _anyswapData.token == address(0) would be passed it would fail and revert immediately for all address which do not follow the AnySwapToken interface: IAnyswapToken(_anyswapData.token).underlying()
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/AnyswapFacet.sol#L36

Therefore the described problem is not actually present.

#1 - gzeoneth

2022-04-16T17:13:22Z

Downgrading to Low/QA. Treating as warden's QA Report.

#2 - JeeberC4

2022-04-17T04:24:23Z

Preserving original title: Funds lost when using Anyswap with token address set to 0

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter