Back to itsmeSTYJ's contests

Streaming Protocol contest - itsmeSTYJ's results

General Information

Platform: Code4rena

Start Date: 30/11/2021

Pot Size: $100,000 USDC

Total HM: 15

Participants: 36

Period: 7 days

Judge: 0xean

Total Solo HM: 4

Id: 62

League: ETH

Streaming Protocol

Findings Distribution

Researcher Performance

Rank: 24/36

Findings: 2

Award: $1,246.40

🌟 Selected for report: 1

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryStreaming Protocol

Findings Information

🌟 Selected for report: egjlmn1

Also found by: WatchPug, itsmeSTYJ, toastedsteaksandwich

Labels

bug
duplicate
2 (Med Risk)
disagree with severity
sponsor acknowledged

Awards

440.5795 USDC - $440.58

External Links

Link to GitHub issue

Handle

itsmeSTYJ

Vulnerability details

Impact

It is possible to frontrun the standard ERC20 token approve function.

Proof of Concept

Read this for more info.

Either require that allowance is 0 before approve can be called or use increase / decrease allowance e.g. openzeppelin's ERC20 token implementation

#0 - 0xean

2022-01-16T00:56:18Z

dupe of #55

Findings Information

🌟 Selected for report: itsmeSTYJ

Labels

bug
1 (Low Risk)
sponsor disputed

Awards

805.8152 USDC - $805.82

External Links

Link to GitHub issue

Handle

itsmeSTYJ

Vulnerability details

Impact

Some projects might rely on tx.origin to remove the need for calling approve() for their token. When these tokens are used as a deposit, reward or incentive token, it is possible to steal these funds by sending in a malicious token that calls the vulnerable token internally.

Stream creators who cannot read code are more susceptible to this attack as they are not aware that the token is using tx.origin instead of msg.sender.

Proof of Concept

  • Vulnerable token (A) used as deposit token.
  • Many users deposit token A
  • User creates malicious token (B) which calls A.transfer() inside of B.transfer().
  • User sends in a malicious token (B) and requests (or even pays) the stream creator to help retrieve these funds for them.
  • When the stream creator calls recoverTokens(B, attacker), it will send back B to the attacker but at the same time, it will also steal all of A.

Here's an article of the rune token being attacked. https://www.adrianhetman.com/unboxing-tx-origin/

  • I think there's no way to prevent this at a smart contract level so my recommendation is that on the UI level, suggest tokens to the stream creators by allowing them to choose from a dropdown list e.g. token lists
  • If they still wish to use a custom token, you can have a second prompt to remind them to check that the token does not use tx.origin.

#0 - brockelmore

2021-12-03T23:14:15Z

While this is possible, the only way this is exploitable is:

  1. Token A is nonconforming ERC20 that does tx.origin
  2. The stream creator engineered their token, token B, to rugpull for this specific case

I would consider the fact that its nonconforming and the stream creator has to intentionally enable a mechanism to rug pull this specific token as this being either low risk or invalid. The benchmark here is that uniswap would be vulnerable to this exact thing as well.

#1 - 0xean

2022-01-16T00:52:58Z

Marking down to low-risk

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter