Back to jkoppel's contests

Centrifuge - jkoppel's results

The institutional ecosystem for on-chain credit.

General Information

Platform: Code4rena

Start Date: 08/09/2023

Pot Size: $70,000 USDC

Total HM: 8

Participants: 84

Period: 6 days

Judge: gzeon

Total Solo HM: 2

Id: 285

League: ETH

Centrifuge

Findings Distribution

Researcher Performance

Rank: 76/84

Findings: 1

Award: $12.79

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCentrifuge

Findings Information

🌟 Selected for report: castle_chain

Also found by: 0xAadi, 0xHelium, 0xLook, 0xblackskull, 0xfuje, 0xmystery, 0xnev, 0xpiken, 7ashraf, BARW, Bauchibred, Bughunter101, Ch_301, JP_Courses, Kaysoft, Krace, MohammedRizwan, SanketKogekar, Sathish9098, alexzoid, ast3ros, btk, catellatech, degensec, fatherOfBlocks, grearlake, imtybik, jkoppel, jolah1, klau5, lsaudit, m_Rassska, merlin, mrudenko, nobody2018, rokinot, rvierdiiev, sandy

Awards

12.7917 USDC - $12.79

Labels

bug
downgraded by judge
grade-b
low quality report
QA (Quality Assurance)
duplicate-41
Q-05

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-09-centrifuge/blob/0af232255c7d045efde4ac40801dfeeed8a8d889/src/LiquidityPool.sol#L98

Vulnerability details

Impact

withApproval in LiquidityManager.sol has the documentation

   /// @dev Either msg.sender is the owner or a ward on the contract

However, the code makes it very clear that only owners have approval, never wards.

    modifier withApproval(address owner) {
        require(msg.sender == owner, "LiquidityPool/no-approval");
        _;
    }

The upshot is that only owners of positions can modify them. Wards cannot, even though the documentation makes it clear they should be able to.

Proof of Concept

I modified testDepositWithApproval in Liquidity.t.sol to try the deposit where the test contract is a ward.

        root.relyContract(lPool_, self); // give self auth permissions
        lPool.requestDeposit(amount, address(investor));

However, the transaction reverted with "LiquidityPool/no-approval", even though the caller is a ward and should have this power according to the docs.

Tools Used

Manuel inspection

    modifier withApproval(address owner) {
        require(msg.sender == owner || wards[msg.sender] == 1, "LiquidityPool/no-approval");
        _;
    }

Assessed type

Access Control

#0 - c4-pre-sort

2023-09-16T01:48:25Z

raymondfam marked the issue as low quality report

#1 - c4-pre-sort

2023-09-16T01:48:35Z

raymondfam marked the issue as duplicate of #41

#2 - c4-judge

2023-09-25T16:09:58Z

gzeon-c4 changed the severity to QA (Quality Assurance)

#3 - c4-judge

2023-09-26T18:21:24Z

gzeon-c4 marked the issue as grade-c

#4 - c4-judge

2023-09-29T11:52:20Z

gzeon-c4 marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter