Back to marqymarq10's contests

Canto Liquidity Mining Protocol - marqymarq10's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 03/10/2023

Pot Size: $24,500 USDC

Total HM: 6

Participants: 62

Period: 3 days

Judge: LSDan

Total Solo HM: 3

Id: 288

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 56/62

Findings: 1

Award: $4.94

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: adriro

Also found by: 0x3b, 0xAadi, 0xDING99YA, 0xTheC0der, 0xWaitress, 0xdice91, 100su, 3docSec, BRONZEDISC, BoRonGod, Eurovickk, GKBG, HChang26, IceBear, JP_Courses, MatricksDeCoder, Mike_Bello90, SovaSlava, Topmark, albahaca, cookedcookee, gzeon, hunter_w3b, kutugu, lukejohn, marqymarq10, matrix_0wl, orion, pep7siup, radev_sw, sces60107, taner2344, tpiliposian, wahedtalash77, xAriextz, zpan

Awards

4.9369 USDC - $4.94

Labels

bug
grade-b
QA (Quality Assurance)
sufficient quality report
Q-09

External Links

Link to GitHub issue

Issue #1 Add events when users claim rewards. This will allow users to more easily gather data about their balance changes off chain.

Issue #2 A user is able to re-enter CrocSwapDex.sol. This is possible by calling userCMD(), then calling swap(). Here is a basic example:

contract Attack {
    CrocSwapDex dex;
    address base;
    address quote;

    constructor(address _dex, address _base, address _quote) {
        dex = CrocSwapDex(_dex);
        base = _base;
        quote = _quote;
    }

    function callCMD(uint16 callpath, bytes calldata cmd) external {
        IERC20Minimal(base).approve(address(dex), type(uint256).max);
        IERC20Minimal(quote).approve(address(dex), type(uint256).max);
        dex.userCmd(callpath, cmd);
    }

    function recieve() external payable {
        dex.swap(
            base, // base
			quote, // quote
			36000, // poolIdx
			false, // isBuy
			false, // inBaseQty
			2000000, // qty
			0, // tip
			16602069666338596454400000, // limit price
			1900000000000000000, // min out
			0
        );
    }
}

I was not able to exploit anything further, but it is worth noting this is possible.

Issue #3 A user can not provide liquidity across the entirety of the ticks. In my tests the largest tick differential is [currTick - 940, currTick + 940]. This is the error I receive:

 Error: Transaction reverted without a reason string
    at CrocSwapDex.verifyCallResult (contracts/mixins/ProxyCaller.sol:64)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at runNextTicks (node:internal/process/task_queues:64:3)
    at listOnTimeout (node:internal/timers:538:9)
    at processTimers (node:internal/timers:512:7)
    at async HardhatNode._mineBlockWithPendingTxs (node_modules\hardhat\src\internal\hardhat-network\provider\node.ts:1866:23)
    at async HardhatNode.mineBlock (node_modules\hardhat\src\internal\hardhat-network\provider\node.ts:524:16)
    at async EthModule._sendTransactionAndReturnHash (node_modules\hardhat\src\internal\hardhat-network\provider\modules\eth.ts:1482:18)

Issue #4 When using via-ir with Hardhat it is recommended to adjust the hardhat config to included yulDetails, like so:

optimizer: {
  enabled: true,
  runs: 25000,
  details: {
    yulDetails: {
      optimizerSteps: "u",
    },
  },
},

Since without via-ir the code in scope cannot compile due to a stack too deep error, it is best to follow this format.

#0 - c4-pre-sort

2023-10-09T17:21:50Z

141345 marked the issue as sufficient quality report

#1 - c4-judge

2023-10-18T23:05:24Z

dmvt marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter