Tigris Trade contest - mookimgo's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $90,500 USDC

Total HM: 35

Participants: 84

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 12

Id: 192

League: ETH

Tigris Trade

Findings Distribution

Researcher Performance

Rank: 57/84

Findings: 2

Award: $110.68

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Tigris Trade

Findings Information

🌟 Selected for report: unforgiven

Also found by: 0xsomeone, KingNFT, debo, hihen, mookimgo, rotcivegaf, stealthyz, wait

Labels

bug

3 (High Risk)

partial-25

upgraded by judge

duplicate-400

Awards

50.3076 USDC - $50.31

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Position.sol#L148

Vulnerability details

Impact

Malicious user can use a contract call initiateLimitOrder and get a callback in the Position._safeMint, and then call cancelLimitOrder to burn the position NFT in this callback before _limitOrders and _limitOrderIndexes get updated.

In this case the burn function https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Position.sol#L264 will wrongly operate _limitOrderIndexes and _limitOrders.

Proof of Concept

todo

Tools Used

manual audit

Recommended Mitigation Steps

use _mint instead of _safeMint to avoid callback

#0 - GalloDaSballo
2022-12-19T21:41:06Z

Missing a clear Impact and POC, but is valid as a non CEI conformity finding

#1 - c4-judge
2022-12-21T15:10:54Z

GalloDaSballo marked the issue as duplicate of #197

#2 - c4-judge
2023-01-16T10:15:50Z

GalloDaSballo marked the issue as not a duplicate

#3 - c4-judge
2023-01-16T10:16:07Z

GalloDaSballo marked the issue as duplicate of #400

#4 - GalloDaSballo
2023-01-16T10:16:12Z

25% because missing most of the attack

#5 - c4-judge
2023-01-16T10:16:17Z

GalloDaSballo marked the issue as partial-25

#6 - c4-judge
2023-01-23T09:22:23Z

GalloDaSballo changed the severity to 3 (High Risk)

Findings Information

🌟 Selected for report: 0xdeadbeef0x

Also found by: 0x52, 8olidity, Faith, KingNFT, Rolezn, Ruhum, mookimgo, rbserver

Labels

bug

2 (Med Risk)

satisfactory

duplicate-198

Awards

60.3691 USDC - $60.37

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Lock.sol#L117

Vulnerability details

Impact

https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Lock.sol#L117

    /**
     * @notice Claim rewards from gov nfts and distribute them to bonds
     */
    function claimGovFees() public {
        address[] memory assets = bondNFT.getAssets();

        for (uint i=0; i < assets.length; i++) {
            uint balanceBefore = IERC20(assets[i]).balanceOf(address(this));
            IGovNFT(govNFT).claim(assets[i]);
            uint balanceAfter = IERC20(assets[i]).balanceOf(address(this));
            IERC20(assets[i]).approve(address(bondNFT), type(uint256).max);
            bondNFT.distribute(assets[i], balanceAfter - balanceBefore);
        }
    }

Some ERC20 require approve set to zero before a approve can be done, like USDT https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code

require(!((_value != 0) && (allowed[msg.sender][_spender] != 0)));

So if USDT is added as an bondNFT asset, this approve call we be fail, and the claimGovFees will revert, causing DoS.

Proof of Concept

Code given above

Tools Used

None

Recommended Mitigation Steps

Remove approve and just send asset to bondNFT contract

#0 - c4-judge
2022-12-20T17:42:38Z

GalloDaSballo marked the issue as duplicate of #198

#1 - c4-judge
2023-01-22T17:52:42Z

GalloDaSballo marked the issue as satisfactory

Tigris Trade contest - mookimgo's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Findings Distribution

Researcher Performance

External Links

[H-07] _safeMint malicious callback can corrupt _limitOrders data in Position.sol - $50.31

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - GalloDaSballo2022-12-19T21:41:06Z

#1 - c4-judge2022-12-21T15:10:54Z

#2 - c4-judge2023-01-16T10:15:50Z

#3 - c4-judge2023-01-16T10:16:07Z

#4 - GalloDaSballo2023-01-16T10:16:12Z

#5 - c4-judge2023-01-16T10:16:17Z

#6 - c4-judge2023-01-23T09:22:23Z

[M-07] DoS due to approve in claimGovFees Lock.sol - $60.37

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - c4-judge2022-12-20T17:42:38Z

#1 - c4-judge2023-01-22T17:52:42Z

#0 - GalloDaSballo
2022-12-19T21:41:06Z

#1 - c4-judge
2022-12-21T15:10:54Z

#2 - c4-judge
2023-01-16T10:15:50Z

#3 - c4-judge
2023-01-16T10:16:07Z

#4 - GalloDaSballo
2023-01-16T10:16:12Z

#5 - c4-judge
2023-01-16T10:16:17Z

#6 - c4-judge
2023-01-23T09:22:23Z

#0 - c4-judge
2022-12-20T17:42:38Z

#1 - c4-judge
2023-01-22T17:52:42Z