Back to ktg's contests

Juicebox Buyback Delegate - ktg's results

Thousands of projects use Juicebox to fund, operate, and scale their ideas & communities transparently on Ethereum.

General Information

Platform: Code4rena

Start Date: 18/05/2023

Pot Size: $24,500 USDC

Total HM: 3

Participants: 72

Period: 4 days

Judge: LSDan

Id: 237

League: ETH

Juicebox

Findings Distribution

Researcher Performance

Rank: 3/72

Findings: 1

Award: $2,242.15

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryJuicebox

Findings Information

🌟 Selected for report: ABA

Also found by: RaymondFam, ktg

Labels

bug
2 (Med Risk)
satisfactory
edited-by-warden
duplicate-79

Awards

2242.1524 USDC - $2,242.15

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L235-#L239

Vulnerability details

Impact

  • If JBXBuybackDelegate is used as data source for redeem, users could not redeem their tokens.

Proof of Concept

The contract JBXBuybackDelegate is a data source and according to the doc: A data source contract can be used to provide custom data to the JBPayoutRedemptionPaymentTerminal3_1.pay(...) transaction and/or the JBPayoutRedemptionPaymentTerminal3_1.redeemTokensOf(...) transaction.

Since JBXBuybackDelegate implements interface IJBFundingCycleDataSource, it must override function redeemParams and the contract decides to leave it empty:

function redeemParams(JBRedeemParamsData calldata _data)
        external
        override
        returns (uint256 reclaimAmount, string memory memo, JBRedemptionDelegateAllocation[] memory delegateAllocations)
    {}

Because the function is empty, if JBXBuybackDelegate is used as datasource for redeem, users would not be able to redeem their tokens, since the returned reclaimAmount from redeemParams is always 0.

Although this contract JBXBuybackDelegate is meant to be used for pay only and not for redeem, the contract should also let function redeemParams return default value (to not interfere with redeem process) so that if a user use JBXBuybackDelegate as datasource for redeem (it's perfectly possible since this contract implements IJBFundingCycleDataSource interface), the contract would not make reclaimedAmount = 0, as recommended in the doc: https://docs.juicebox.money/dev/build/treasury-extensions/data-source/#examples

// This is unused but needs to be included to fulfill IJBFundingCycleDataSource.
  function redeemParams(JBRedeemParamsData calldata _data)
    external
    pure
    override
    returns (
      uint256 reclaimAmount,
      string memory memo,
      IJBRedemptionDelegate delegate
    )
  {
    // Return the default values.
    return (_data.reclaimAmount.value, _data.memo, IJBRedemptionDelegate(address(0)));
  }

Tools Used

I recommend returning default values from redeemParams function as the code above.

Assessed type

Library

#0 - c4-pre-sort

2023-05-25T12:54:17Z

dmvt marked the issue as duplicate of #79

#1 - c4-judge

2023-06-02T15:10:25Z

dmvt marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter