Platform: Code4rena
Start Date: 17/03/2022
Pot Size: $30,000 USDC
Total HM: 8
Participants: 43
Period: 3 days
Judge: gzeon
Total Solo HM: 5
Id: 100
League: ETH
Rank: 4/43
Findings: 3
Award: $2,416.96
🌟 Selected for report: 0
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-03-prepo/blob/main/contracts/core/Collateral.sol#L95-L135
Withdrawals can be initiated by accounts by calling the initiateWithdrawal function. A block delay is enforced with an expiration to prevent flash loan attacks on the protocol. However, because withdrawal requests are conducted on the account's token balance, request amounts can be replicated by calling initiateWithdrawal on some small amount, sending tokens to another account and calling initiateWithdrawal again. This completely negates any flash loan protection that may be enforced.
Consider the following scenario:
Collateral.sol contract.initiateWithdrawal on these 100 tokens.initiateWithdrawal on these accounts.Manual code review.
Consider checking the account's token balance is greater than the _amount to withdraw in _processDelayedWithdrawal. Alternatively, you can setup _transfer to reset the sender's active withdrawal request.
#0 - ramenforbreakfast
2022-03-24T06:36:16Z
duplicate of #54
#1 - gzeoneth
2022-04-03T13:32:26Z
Upgrading to high risk to align with #54
https://github.com/code-423n4/2022-03-prepo/blob/main/contracts/core/PrePOMarket.sol
The _expiryTime variable is stored in the PrePOMarket.sol contract but not enforced anywhere in the contract. As a result, if a public offering never comes to fruition, then _finalLongPrice will never be set and hence users will be expected to redeem collateral tokens by transferring an equivalent amount of short and long tokens. Because short and long tokens are traded on the secondary market, it is highly likely that users will not be able to redeem all available collateral tokens due to LP fees and market slippage. Every collateral redemption will leave some dust balance in the market contract that cannot be claimed.
Manual code review.
Consider enforcing market expiration onchain. After expiration, the PrePOMarket.sol contract should treat long and short tokens as of equivalent value such that collateral redemption is symmetrical in nature.
#0 - ramenforbreakfast
2022-03-24T06:36:38Z
duplicate of #28
#1 - gzeoneth
2022-04-03T13:29:46Z
Agree with sponsor
🌟 Selected for report: defsec
Also found by: 0x1f8b, 0xDjango, 0xNazgul, 0xkatana, 0xwags, CertoraInc, Funen, GeekyLumberjack, GreyArt, IllIllI, Kenshin, Ruhum, TerrierLover, WatchPug, berndartmueller, bugwriter001, cccz, cmichel, csanuragjain, hake, kenta, kirk-baird, leastwood, minhquanym, oyc_109, peritoflores, rayn, remora, rfa, robee, saian, samruna, sorrynotsorry, wuwe1
51.8842 USDC - $51.88
https://github.com/code-423n4/2022-03-prepo/blob/main/contracts/core/Collateral.sol#L15
Because the Collateral.sol contract utilises ERC20Upgradeable, it is expected that this contract will deployed under some proxy contract setup. This gives the contract owner the power to deploy new implementation contracts with different logic but the same storage. However, because the contract owner has these privileges, it is possible for the implementation contract to contain a malicious function allowing them to withdraw all deposited tokens, effectively rugpulling the protocol.
Manual code review.
Ensure this is understood and consider making Collateral.sol contracts immutable. There is little to no benefit in making the Collateral.sol contract upgradable and it adds additional trust dependencies to the protocol.
#0 - ramenforbreakfast
2022-03-24T06:43:56Z
I consider this issue to be invalid since it breaks trust assumptions embedded within the project.
#1 - gzeoneth
2022-04-03T14:02:31Z
Considering the project described the owner as a timelocked DAO multisig, I am downgrading this to Low/QA. Treating this as warden's QA Report.
#2 - JeeberC4
2022-04-12T18:27:41Z
Per judges downgrade to QA Report, preserving original title: Contract Owner Can Rugpull Collateral.sol