Platform: Code4rena
Start Date: 22/09/2023
Pot Size: $100,000 USDC
Total HM: 15
Participants: 175
Period: 14 days
Judge: alcueca
Total Solo HM: 4
Id: 287
League: ETH
Rank: 151/175
Findings: 1
Award: $11.47
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MrPotatoMagic
Also found by: 0xAadi, 0xDING99YA, 0xDemon, 0xRstStn, 0xSmartContract, 0xStriker, 0xWaitress, 0xbrett8571, 0xfuje, 0xsagetony, 0xsurena, 33BYTEZZZ, 3docSec, 7ashraf, ABA, ABAIKUNANBAEV, Aamir, Audinarey, Bauchibred, Black_Box_DD, Daniel526, DanielArmstrong, DanielTan_MetaTrust, Dinesh11G, Eurovickk, Franklin, Inspecktor, John, Jorgect, Joshuajee, K42, Kek, Koolex, LokiThe5th, MIQUINHO, Myd, NoTechBG, QiuhaoLi, SanketKogekar, Sathish9098, Sentry, Soul22, SovaSlava, Stormreckson, Tendency, Topmark, Udsen, V1235816, Viktor_Cortess, Viraz, Yanchuan, ZdravkoHr, Zims, albahaca, albertwh1te, alexweb3, alexxander, ast3ros, audityourcontracts, bareli, bin2chen, bronze_pickaxe, c0pp3rscr3w3r, cartlex_, castle_chain, chaduke, debo, ether_sky, gumgumzum, imare, its_basu, jaraxxus, jasonxiale, josephdara, kodyvim, ladboy233, lanrebayode77, lsaudit, mert_eren, minhtrng, n1punp, nadin, niroh, nmirchev8, orion, peakbolt, perseverancesuccess, pfapostol, ptsanev, rvierdiiev, saneryee, shaflow2, te_aut, terrancrypt, twcctop, unsafesol, ustas, versiyonbir, windhustler, yongskiws, zhaojie, ziyou-
11.4657 USDC - $11.47
Users may transfer more money than intended, resulting in a net loss for the user.
In _bridgeOut, either the hToken or the underlying token is being sent to the BranchPort address. For the hToken, the tokens will be burned and for the underlying, the token will be stored in the BranchPort contract.
// Check if hTokens are being bridged out if (_hTokenAmount > 0) { _localAddress.safeTransferFrom(_depositor, address(this), _hTokenAmount); ERC20hTokenBranch(_localAddress).burn(_hTokenAmount); } // Check if underlying tokens are being bridged out if (_deposit > 0) { _underlyingAddress.safeTransferFrom(_depositor, address(this), _deposit);
According to the discussions on Discord, protocol admin mentions that if the user has 5 hToken and 5 underlying token, the amount called should be 10 and _deposit should be 5. This means that 5 hToken will be burnt from the user and 10 underlying token will be transferred from the user to the Port, instead of 5 underlying token.
If a user wants to transfer 10 tokens in total, he has to transfer 15 instead (5 hToken burnt and 10 underlying transferred)
VSCode
Make sure that the calculation is correct so that if the user wants to transfer 10 tokens (5 htoken and 5 underlying), he will only need 5 hToken and 5 underlying, instead of 5hToken and 10 underlying. This issue might be due to this line
uint256 _hTokenAmount = _amount - _deposit;
which is pretty confusing. Amount should not be the total amount of tokens to bridge out but rather just the underlying amount of tokens to bridge out.
Other
#0 - c4-pre-sort
2023-10-12T07:25:32Z
0xA5DF marked the issue as low quality report
#1 - 0xA5DF
2023-10-12T07:27:39Z
This means that 5 hToken will be burnt from the user and 10 underlying token will be transferred from the user to the Port, instead of 5 underlying token.
No, user would be paying with 5 hTokens and 5 underlying tokens. So user gets what he paid for. Any suggestion regarding the way parameters are named isn't more than a QA
#2 - c4-judge
2023-10-22T06:03:22Z
alcueca changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-10-22T06:03:26Z
alcueca marked the issue as grade-b