Platform: Code4rena
Start Date: 07/09/2022
Pot Size: $20,000 CANTO
Total HM: 7
Participants: 65
Period: 1 day
Judge: 0xean
Total Solo HM: 3
Id: 159
League: ETH
Rank: 4/65
Findings: 3
Award: $1,530.37
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: hickuphh3
Also found by: Critical, __141345__, linmiaomiao, sorrynotsorry
7507.8311 CANTO - $1,212.51
https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L501 https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L505
Hardcoded prices of stablecosins may open some arbitrage opportunities and produce many bad loans in CLM.
Hardcoding price of cUSDT and cUSDC as 1 may open some arbitrage opportunities when real price for each token is a little bit different, and user can borrow more than it actual amount in Canto Lending Market . Also, in case of UST-style collapse, there are exist many bad loans in CLM.
Webstorm
Don't hardcode cUSDT Price to 1.
#0 - nivasan1
2022-09-09T19:12:00Z
duplicate #73
🌟 Selected for report: hickuphh3
Also found by: 0xNazgul, 0xSky, CertoraInc, Deivitto, Jeiwan, SinceJuly, hansfriese, linmiaomiao, rbserver
when calculating token0TVL,it first divide the decimal and then multiplty reserve,it will cause loss of precision and will make LP token price wrong.
it calculate token0TVL use :
token0TVL = assetReserves[i] * (prices[i] / decimals)
It first divide the decimal and then multiplty reserve ,and it will result in a loss of price decimal.The result is token0TVL will be much less than the actual value, finally it will cause LPtoken price wrong.
Webstorm
please calculate like this:
token0TVL = assetReserves[i] * prices[i] / decimals
#0 - nivasan1
2022-09-08T21:25:02Z
duplicate of #41
🌟 Selected for report: Chom
Also found by: 0xSmartContract, Jeiwan, SinceJuly, V_B, cccz, linmiaomiao
1303.145 CANTO - $210.46
https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L491 https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L498 https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L501 https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L505
it compare symbol to identify token,it can be exploit to produce fake price of token.
attacker can create a token which is like cToken and has symbol of cNOTE .When somebody call comptroller’s liquidateCalculateSeizeTokens ,it will give an unlisted token with other token(it can be unlisted token or listed token) collateral number.If there are other contracts without whitelist of token and use this price oracle, it will be exploit to produce faked price.
It produce a not official hardcode token's price is also a wrong logic.
Webstorm
use address instead of symbol to identify token
#0 - nivasan1
2022-09-10T17:21:24Z
duplicate #24