prePO contest - mert_eren's results

Decentralized Exchange for Pre-IPO Stocks & Pre-IDO Tokens.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $36,500 USDC

Total HM: 9

Participants: 69

Period: 3 days

Judge: Picodes

Total Solo HM: 2

Id: 190

League: ETH

prePO

Findings Distribution

Researcher Performance

Rank: 35/69

Findings: 1

Award: $210.78

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository prePO

Findings Information

🌟 Selected for report: Trust

Also found by: 0Kage, Parth, aviggiano, ayeslick, bin2chen, cccz, chaduke, fs0c, hansfriese, imare, mert_eren, rvierdiiev

Labels

bug

3 (High Risk)

satisfactory

edited-by-warden

duplicate-310

Awards

210.7761 USDC - $210.78

External Links

Link to GitHub issue

Lines of code

https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/WithdrawHook.sol#L53-L80

Vulnerability details

Impact

when periods use code is vulnarable to withdraw which exceed limit amount.

Proof of Concept

in withdrawHook there is no requirement for exceed user or global limit just record how much money withdrawed by this way anybody who want to withdraw when global and user limit has finished.When they started a new time period they dont face to any limit about withdraw amount. https://github.com/merteren1234/prepo-typescript-test this is the test which I use. and in the below it shows it is correct.

Recommended Mitigation Steps

In 59-62 and 66-69 lines in github line which ı mentioned to affected code, should be insert requirement like require(_amountBeforeFee<globalWithdrawLimitPerPeriod) and require(_amountBeforeFee<userWithdrawLimitPerPeriod)

#0 - hansfriese
2022-12-13T15:25:34Z

duplicate of #310

#1 - Picodes
2022-12-13T19:09:43Z

Your finding is great, but:

please do not use screenshots, copy-paste your code and results
I suggest you use chatGPT or some tools to improve your writing skills as punctuation and grammar could be improved

#2 - c4-judge
2022-12-13T19:09:53Z

Picodes marked the issue as duplicate of #310

#3 - c4-judge
2023-01-01T17:19:39Z

Picodes marked the issue as satisfactory

prePO contest - mert_eren's results

Decentralized Exchange for Pre-IPO Stocks & Pre-IDO Tokens.

General Information

Findings Distribution

Researcher Performance

External Links

[H-02] anybody can exceed limit when withdraw basetoken. - $210.78

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - hansfriese2022-12-13T15:25:34Z

#1 - Picodes2022-12-13T19:09:43Z

#2 - c4-judge2022-12-13T19:09:53Z

#3 - c4-judge2023-01-01T17:19:39Z

#0 - hansfriese
2022-12-13T15:25:34Z

#1 - Picodes
2022-12-13T19:09:43Z

#2 - c4-judge
2022-12-13T19:09:53Z

#3 - c4-judge
2023-01-01T17:19:39Z