XDEFI contest - jayjonah8's results

The fastest wallet in DeFi.

General Information

Platform: Code4rena

Start Date: 04/01/2022

Pot Size: $25,000 USDC

Total HM: 3

Participants: 40

Period: 3 days

Judge: Ivo Georgiev

Total Solo HM: 1

Id: 75

League: ETH

XDEFI

Findings Distribution

Researcher Performance

Rank: 29/40

Findings: 1

Award: $37.37

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository XDEFI

Findings Information

🌟 Selected for report: cccz

Also found by: Jujic, Tomio, WatchPug, agusduha, certora, hack3r-0m, jayjonah8, ye0lde

Labels

bug

duplicate

1 (Low Risk)

disagree with severity

sponsor acknowledged

Awards

37.3718 USDC - $37.37

External Links

Link to GitHub issue

Handle

jayjonah8

Vulnerability details

Impact

In XDEFIDistribution.sol the setLockPeriods() function takes in 2 args (durations_ and multipliers) which are both arrays. The function does not insure that both arrays are the same length. So you can actually put in a larger number of durations_ than multipliers which is a problem because after every loop in the function of durations_.length an event is emitted for the multiplier at that index. If there are more _durations than multipliers this means that the events will be emitting incorrect data or even throwing errors because the multipliers array index would be out of bounds.

Proof of Concept

function setLockPeriods( uint256[] memory durations_, uint8[] memory multipliers ) external onlyOwner { uint256 count = durations_.length;

    for (uint256 i; i < count; ++i) {
        uint256 duration = durations_[i];
        require(duration <= uint256(18250 days), "INVALID_DURATION");
        emit LockPeriodSet(
            duration,
            bonusMultiplierOf[duration] = multipliers[i]
        );
    }
}

Tools Used

Manual code review

Recommended Mitigation Steps

Add a require check that both of the arrays are the same length like so:

function setLockPeriods( uint256[] memory durations_, uint8[] memory multipliers ) external onlyOwner { require(durations_.length == multipliers.length, "Arrays must be the same length"); uint256 count = durations_.length;

    for (uint256 i; i < count; ++i) {
        uint256 duration = durations_[i];
        require(duration <= uint256(18250 days), "INVALID_DURATION");
        emit LockPeriodSet(
            duration,
            bonusMultiplierOf[duration] = multipliers[i]
        );
    }
}

#0 - deluca-mike
2022-01-05T07:52:53Z

If there are more multipliers than durations, then the extra multipliers are ignored. If there are more durations than multipliers, then the function will revert anyway. Further, if the admin did make a mistake, they can just call the function again. This is not even low risk, let alone high risk.

#1 - deluca-mike
2022-01-09T10:35:09Z

Duplicate #38

XDEFI contest - jayjonah8's results

The fastest wallet in DeFi.

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $37.37

QA Report - $37.37

[L-02] setLockPeriods() function doesn't make sure both array args are the same length - $37.37

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - deluca-mike2022-01-05T07:52:53Z

#1 - deluca-mike2022-01-09T10:35:09Z

#0 - deluca-mike
2022-01-05T07:52:53Z

#1 - deluca-mike
2022-01-09T10:35:09Z