Mochi contest - loop's results

Next-Gen Decentralized Digital Currency Backed By Long-Tail Cryptoassets.

General Information

Platform: Code4rena

Start Date: 21/10/2021

Pot Size: $80,000 ETH

Total HM: 28

Participants: 15

Period: 7 days

Judge: ghoulsol

Total Solo HM: 19

Id: 42

League: ETH

Mochi

Findings Distribution

Researcher Performance

Rank: 12/15

Findings: 3

Award: $296.51

🌟 Selected for report: 3

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Mochi

Findings Information

🌟 Selected for report: loop

Also found by: WatchPug, cmichel, defsec, gzeon, leastwood, nikitastupin, pants

Labels

bug

2 (Med Risk)

sponsor confirmed

Awards

0.0174 ETH - $72.55

External Links

Link to GitHub issue

Handle

loop

Vulnerability details

ERC20 transfer and transferFrom calls normally return true on a succesful transfer. In DutchAuctionLiquidator the call asset.transfer(msg.sender, _collateral); is made. asset refers to whichever ERC20 asset is used for the vault of that auction. If asset is an ERC20 token which does not comply with the EIP-20 standard it might return false on a failed transaction rather than revert. In this case it would count as a valid transaction even though it is not. If a vault would be making use of USDT the transfer call would always revert as USDT returns void on transfers.

There are a few more transfer(From) calls which are unchecked, these are however all on a predetermined asset (mochi, usdM and crv) and unlikely to cause problems.

Proof of Concept

Unchecked transfer call on asset:

https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/liquidator/DutchAuctionLiquidator.sol#L107

Other unchecked transfer calls (mochi, usdM, crv):

Tools Used

Slither

Recommended Mitigation Steps

In other contracts the functions cheapTransfer and cheapTransferFrom are used which are part of the mochifi cheapERC20 library. These functions do check for a return value and could be used rather than transfer and transferFrom.

#0 - r2moon
2021-10-26T15:59:42Z

transferFrom and transfer functions are used for mochi and usdm tokens which are standard EIP-20 tokens.

Findings Information

🌟 Selected for report: loop

Also found by: cmichel

Labels

bug

1 (Low Risk)

Awards

0.0437 ETH - $182.03

External Links

Link to GitHub issue

Handle

loop

Vulnerability details

In MochiVaultFactory a low level call is made to update the Beacon template to _newTemplate: address(beacon).call(abi.encode(_newTemplate));. Afterwards the _newTemplate is written to the template variable, even if the low level call failed.

Proof of Concept

https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/vault/MochiVaultFactory.sol#L22

Tools Used

Slither

Recommended Mitigation Steps

Check if low level call was successful using the boolean return value of a low level call.

#0 - ghoul-sol
2021-11-02T17:14:36Z

I'm not sure why it's marked invalid, the finding seems valid to me.

Mochi contest - loop's results

Next-Gen Decentralized Digital Currency Backed By Long-Tail Cryptoassets.

General Information

Findings Distribution

Researcher Performance

External Links

🌟 [M-04] Unchecked ERC20 transfer calls - $72.55

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - r2moon2021-10-26T15:59:42Z

QA Report - $182.03

Gas Report - $41.93

QA Report - $182.03

Gas Report - $41.93

🌟 [G-08] Variable `liquidated` in MochiVault is never used - $41.93

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

🌟 [L-08] Unchecked low level call - $182.03

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - ghoul-sol2021-11-02T17:14:36Z

#0 - r2moon
2021-10-26T15:59:42Z

#0 - ghoul-sol
2021-11-02T17:14:36Z