Back to jasonxiale's contests

Munchables - jasonxiale's results

A web3 point farming game in which Keepers nurture creatures to help them evolve, deploying strategies to earn them rewards in competition with other players.

General Information

Platform: Code4rena

Start Date: 22/05/2024

Pot Size: $20,000 USDC

Total HM: 6

Participants: 126

Period: 5 days

Judge: 0xsomeone

Total Solo HM: 1

Id: 379

League: ETH

Munchables

Findings Distribution

Researcher Performance

Rank: 54/126

Findings: 2

Award: $0.01

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMunchables

Findings Information

🌟 Selected for report: Circolors

Also found by: 0rpse, 0x175, 0xAadi, 0xHash, 0xMax1mus, 0xMosh, 0xblack_bird, 0xdice91, 0xfox, 0xhacksmithh, 0xloscar01, 0xrex, 4rdiii, Audinarey, AvantGard, Bigsam, DPS, Dots, Drynooo, Dudex_2004, Evo, Kaysoft, King_, Limbooo, MrPotatoMagic, PENGUN, Sabit, SovaSlava, SpicyMeatball, TheFabled, Utsav, Varun_05, Walter, adam-idarrha, araj, aslanbek, ayden, bctester, biakia, bigtone, brgltd, carrotsmuggler, cats, crypticdefense, dd0x7e8, dhank, fandonov, fyamf, grearlake, iamandreiski, ilchovski, jasonxiale, joaovwfreire, lanrebayode77, m4ttm, merlinboii, niser93, nnez, octeezy, oxchsyston, pamprikrumplikas, rouhsamad, tedox, trachev, turvy_fuzz, twcctop, yotov721, zhaojohnson

Awards

0.0042 USDC - $0.00

Labels

bug
3 (High Risk)
partial-75
sufficient quality report
edited-by-warden
:robot:_05_group
duplicate-165

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L275-L294 https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L311-L398

Vulnerability details

Impact

lockOnBehalf can be used to lock tokens for someone else, when the function is called, _lock will be called.

Whin _lock, there are a few things will happened.

  1. token will be transferred from msg.send to the contract in LockManager.sol#L374-L377
  2. lockedToken.unlockTime will be updated in [https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L382-L384]

But the implementation has some issue:

  1. anyone can call lockOnBehalf for anyone
  2. there is no limitation for _quantity parameter

Proof of Concept

Because the two issue above, Alice(a malicious user) can call lockOnBehalf with zero _quantity to target anyone else by setting _onBehalfOf

After the function, lockRecipient's lockedToken.unlockTime will be extended in LockManager.sol#L382-L384, if Alice keeps calling this function before the normal user, the user's lockedToken.unlockTime will keep increasing.

Bob(the normal user) calls unlock to withdraw his assets, because lockedToken.unlockTime > uint32(block.timestamp) in LockManager.sol#L410-L411, his tx will be reverted

Tools Used

VS

Assessed type

Timing

#0 - c4-judge

2024-06-05T12:58:09Z

alex-ppg marked the issue as partial-75

Findings Information

🌟 Selected for report: SpicyMeatball

Also found by: 0rpse, 0xMosh, 0xblack_bird, 0xdice91, 0xhacksmithh, 0xleadwizard, 0xmystery, Audinarey, AvantGard, Bigsam, Dots, EPSec, Eeyore, Janio, Limbooo, LinKenji, Mahmud, MrPotatoMagic, Myd, Oxsadeeq, Sabit, SovaSlava, Stefanov, Tychai0s, Utsav, Varun_05, Walter, adam-idarrha, ahmedaghadi, araj, aslanbek, ayden, bigtone, c0pp3rscr3w3r, carrotsmuggler, crypticdefense, dhank, fyamf, gajiknownnothing, gavfu, itsabinashb, jasonxiale, joaovwfreire, ke1caM, leegh, merlinboii, mitko1111, n4nika, pfapostol, prapandey031, rouhsamad, sandy, snakeeaterr, stakog, steadyman, swizz, tedox, th3l1ghtd3m0n, trachev, turvy_fuzz, xyz, yashgoel72, zhaojohnson

Awards

0.0105 USDC - $0.01

Labels

bug
3 (High Risk)
partial-75
sufficient quality report
:robot:_03_group
duplicate-7

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L245-L272

Vulnerability details

Impact

Quoting from Attack ideas (where to focus for bugs):

and that people cannot reduce lockup times that are previously set.

It means that lockedTokens[msg.sender][tokenContract].unlockTime can't be reduced. But according to the implementation, lockedTokens[msg.sender][tokenContract].unlockTime can be reduced.

Proof of Concept

In LockManager.sol#L256-L261, the function use uint32(block.timestamp) + uint32(_duration) < lockedTokens[msg.sender][tokenContract].unlockTime to make sure that unlockTime can't be reduced, but this is not correct.

Suppose current block.timestamp is 1716634739(Sat May 25 18:58:59 CST 2024) before calling setLockDuration: lockedTokens[msg.sender][tokenContract].unlockTime is 1718362739(Fri Jun 14 18:58:59 CST 2024) lockedTokens[msg.sender][tokenContract].lastLockTime is 1715770739(Wed May 15 18:58:59 CST 2024)

If we call setLockDuration using 20 days as parameter: The check in LockManager.sol#L256-L261 will be passed because: 1716634739 + 21 days == 1718362739 == lockedTokens[msg.sender][tokenContract].unlockTime

And then in LockManager.sol#L265-L267, the lockedTokens[msg.sender][tokenContract].unlockTime will be 1715770739 + 20 days == 1717498739, which is Tue Jun 4 18:58:59 CST 2024.

So and that people cannot reduce lockup times that are previously set. is broken.

Tools Used

VS

Assessed type

Invalid Validation

#0 - c4-judge

2024-06-04T12:41:46Z

alex-ppg marked the issue as duplicate of #89

#1 - c4-judge

2024-06-05T12:52:30Z

alex-ppg marked the issue as partial-75

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter