Back to imare's contests

Althea Liquid Infrastructure - imare's results

Liquid Infrastructure.

General Information

Platform: Code4rena

Start Date: 13/02/2024

Pot Size: $24,500 USDC

Total HM: 5

Participants: 84

Period: 6 days

Judge: 0xA5DF

Id: 331

League: ETH

Althea

Findings Distribution

Researcher Performance

Rank: 52/84

Findings: 1

Award: $25.73

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAlthea

Findings Information

🌟 Selected for report: nuthan2x

Also found by: 0x0bserver, AM, CaeraDenoir, DanielArmstrong, JrNet, Kirkeelee, KmanOfficial, Krace, Limbooo, Meera, SovaSlava, SpicyMeatball, TheSavageTeddy, agadzhalov, aslanbek, atoko, csanuragjain, d3e4, imare, jesjupyter, juancito, kartik_giri_47538, kutugu, max10afternoon, offside0011, pkqs90, turvy_fuzz, xchen1130, zhaojohnson, ziyou-

Awards

25.7286 USDC - $25.73

Labels

bug
2 (Med Risk)
downgraded by judge
high quality report
satisfactory
sponsor confirmed
duplicate-87

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/bd6ee47162368e1999a0a5b8b17b701347cf9a7d/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L441-L445

Vulnerability details

Impact

The owner of LiquidInfrastructureERC20 contract can change the list of distributable tokens in the middle of a distribution and in doing this it can block the process of the distribution or send wrong entitlement amounts to holders.

Proof of Concept

A distribution can run for more the one distribute call if we have a large number of holders to prevent a DOS situation. This is done by limiting the number of distribution per run:

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/bd6ee47162368e1999a0a5b8b17b701347cf9a7d/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L208-L214

To protect the distribution function from other contract operation that can interfere with the process the contract in the begining sets a variable :

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/bd6ee47162368e1999a0a5b8b17b701347cf9a7d/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L257-L262

The distribution finally ends when the number of all transfers is equal to the number of holders:

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/bd6ee47162368e1999a0a5b8b17b701347cf9a7d/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L234-L236

But as already mentioned the owner can change the list of distributable tokens in the middle of the distribution process:

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/bd6ee47162368e1999a0a5b8b17b701347cf9a7d/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L441-L445

This list is used on the first distribute run to calculate all amounts entitlements for specific tokens :

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/bd6ee47162368e1999a0a5b8b17b701347cf9a7d/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L271-L277

And this calculated values are used in for each holder per distribution run:

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/bd6ee47162368e1999a0a5b8b17b701347cf9a7d/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L222-L223

If the changed list is not the same we have two main problems :

  • distribution will revert becouse the new list is shorter then the original one => a out of index revert will happen on this line:

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/bd6ee47162368e1999a0a5b8b17b701347cf9a7d/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L221

  • if the list is larger or same size but the order of tokens or the tokens address in the new list are not the same, than the entitlement used are the wrong ones because this values are only calculated on the first distribute run:

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/bd6ee47162368e1999a0a5b8b17b701347cf9a7d/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L222

Tools Used

Manual review

Block the changing of the distributable ERC20 list when distribution is in progress :

    function setDistributableERC20s(
        address[] memory _distributableERC20s
    ) public onlyOwner {
+       require(!LockedForDistribution, "distribution in progress");
        distributableERC20s = _distributableERC20s;
    }

Assessed type

Other

#0 - c4-pre-sort

2024-02-20T04:34:33Z

0xRobocop marked the issue as high quality report

#1 - 0xRobocop

2024-02-20T04:35:24Z

This issue describes several potential issues when changing the ERC20s array. Because of this I will agreggate all the related issues to this one.

#2 - c4-pre-sort

2024-02-20T04:38:04Z

0xRobocop marked the issue as primary issue

#3 - c4-sponsor

2024-03-01T19:55:47Z

ChristianBorst (sponsor) confirmed

#4 - ChristianBorst

2024-03-01T19:56:49Z

This is a significant issue and the recommended mitigation is high quality.

#5 - c4-judge

2024-03-04T15:06:03Z

0xA5DF marked the issue as satisfactory

#6 - c4-judge

2024-03-04T15:10:47Z

0xA5DF marked issue #87 as primary and marked this issue as a duplicate of 87

#7 - c4-judge

2024-03-08T15:26:19Z

0xA5DF changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter