Back to kartik_giri_47538's contests

Althea Liquid Infrastructure - kartik_giri_47538's results

Liquid Infrastructure.

General Information

Platform: Code4rena

Start Date: 13/02/2024

Pot Size: $24,500 USDC

Total HM: 5

Participants: 84

Period: 6 days

Judge: 0xA5DF

Id: 331

League: ETH

Althea

Findings Distribution

Researcher Performance

Rank: 58/84

Findings: 1

Award: $25.73

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAlthea

Findings Information

🌟 Selected for report: nuthan2x

Also found by: 0x0bserver, AM, CaeraDenoir, DanielArmstrong, JrNet, Kirkeelee, KmanOfficial, Krace, Limbooo, Meera, SovaSlava, SpicyMeatball, TheSavageTeddy, agadzhalov, aslanbek, atoko, csanuragjain, d3e4, imare, jesjupyter, juancito, kartik_giri_47538, kutugu, max10afternoon, offside0011, pkqs90, turvy_fuzz, xchen1130, zhaojohnson, ziyou-

Awards

25.7286 USDC - $25.73

Labels

bug
2 (Med Risk)
downgraded by judge
insufficient quality report
satisfactory
duplicate-87

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/bd6ee47162368e1999a0a5b8b17b701347cf9a7d/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L441

Vulnerability details

Overwriting distributableERC20s array during distribution.

Description: The contract allows the owner to overwrite the list of ERC20s (distributableERC20s) that may be distributed to token holders while a distribution to holders is occurring. This flexibility can lead to unintended consequences as the _beginDistribution function calculates erc20EntitlementPerUnit based on distributableERC20s, potentially resulting in distributions of incorrect tokens.

Impact: Changing distributableERC20s during a distribution can cause the contract to distribute tokens to holders that were not intended. This behavior may result in unexpected outcomes, misaligned incentives, and possible loss of funds for token holders. Inconsistent or inaccurate distribution events could lead to confusion and undermine trust in the protocol.

Proof of Concept: The _beginDistribution function calculates erc20EntitlementPerUnit based on the distributableERC20s. If the Owner changes distributableERC20s while a distribution is in progress. The distribute function will emit incorrect token lists and amounts, leading to unexpected token distributions to holders.

Recommended Mitigation: To mitigate this issue, consider implementing a mechanism to prevent the owner from changing distributableERC20s while a distribution is in progress. This can be achieved by adding a check in functions setDistributableERC20s that modify distributableERC20s to ensure that LockedForDistribution is false before allowing any changes.

Below code shows the recommended mitigation.

 function setDistributableERC20s(address[] memory _distributableERC20s) public onlyOwner {
+       require(!LockedForDistribution, "distribution in progress");
        distributableERC20s = _distributableERC20s;
    }

Assessed type

Other

#0 - c4-pre-sort

2024-02-20T04:21:06Z

0xRobocop marked the issue as duplicate of #151

#1 - c4-pre-sort

2024-02-20T04:38:31Z

0xRobocop marked the issue as duplicate of #260

#2 - c4-pre-sort

2024-02-21T01:04:04Z

0xRobocop marked the issue as insufficient quality report

#3 - c4-judge

2024-03-04T15:15:57Z

0xA5DF marked the issue as satisfactory

#4 - c4-judge

2024-03-08T15:26:18Z

0xA5DF changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter