Back to ilan's contests

Mimo DeFi contest - ilan's results

Bridging the chasm between the DeFi world and the world of regulated financial institutions.

General Information

Platform: Code4rena

Start Date: 28/04/2022

Pot Size: $50,000 USDC

Total HM: 7

Participants: 43

Period: 5 days

Judge: gzeon

Total Solo HM: 2

Id: 115

League: ETH

Mimo DeFi

Findings Distribution

Researcher Performance

Rank: 35/43

Findings: 1

Award: $89.04

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMimo DeFi

Findings Information

🌟 Selected for report: Dravee

Also found by: 0x1f8b, 0x4non, 0x52, 0xDjango, AlleyCat, Funen, GalloDaSballo, GimelSec, Hawkeye, MaratCerby, Picodes, berndartmueller, cccz, defsec, delfin454000, dipp, hyh, ilan, joestakey, kebabsec, luduvigo, pauliax, peritoflores, robee, rotcivegaf, samruna, shenwilly, sikorico, simon135, sorrynotsorry, unforgiven, z3s

Awards

89.0354 USDC - $89.04

Labels

bug
QA (Quality Assurance)
sponsor disputed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L271 https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L283 https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L218

Vulnerability details

Impact

when calling transferFrom or transfer of an external token a bool indicating success / fail is returned. Not checking this return value can cause the transaction to proceed even when the transfer has failed.

for example in SuperVault.depositToVault token.transferFrom can fail but the asset will still get deposited.

Proof Of Concept

From the ERC20 docs:

transfer(address recipient, uint256 amount) → bool external Moves amount tokens from the caller’s account to recipient.

Returns a boolean value indicating whether the operation succeeded.

Emits a Transfer event.

transferFrom(address sender, address >recipient, uint256 amount) → bool external

Moves amount tokens from sender to recipient using the allowance mechanism. amount is then deducted from the caller’s allowance.

Returns a boolean value indicating whether the operation succeeded.

Emits a Transfer event.

In SuperValut.depositToVault, SuperValut.depositAndBorrowFromVault, SuperValut.emptyVault transferFrom (or transfer) return value is not checked. an asset which returns false in transferFrom (or transfer) can be passed to these functions.

An example for such asset is the Basic Attention Token which implements this transfer() and this transferFrom()

Tools Used

Manual Inspection with VSCode.

Recommended Mitigation Steps

check the return values of these calls: token.transferFrom(msg.sender, address(this), amount); -> require(token.transferFrom(msg.sender, address(this), amount), "transfer failed");

and the same for transfer()

#0 - m19

2022-05-05T09:25:48Z

If the transferFrom has failed in SuperVault, the call to VaultsCore will fail

#1 - gzeoneth

2022-06-05T16:10:23Z

Since the transfer should be one that accepted by the core protocol and according to https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/config/deployment.ts#L65 it seems that all asset will revert upon failed transfer, this listing of new asset can be guarded by owner, downgrading to Low / QA.

#2 - gzeoneth

2022-06-05T16:31:58Z

Treating as warden's QA report.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter