Back to n1punp's contests

Venus Prime - n1punp's results

Earn, borrow & lend on the #1 Decentralized Money Market on the BNB chain.

General Information

Platform: Code4rena

Start Date: 28/09/2023

Pot Size: $36,500 USDC

Total HM: 5

Participants: 115

Period: 6 days

Judge: 0xDjango

Total Solo HM: 1

Id: 290

League: ETH

Venus Protocol

Findings Distribution

Researcher Performance

Rank: 105/115

Findings: 1

Award: $4.37

QA:
grade-b

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryVenus Protocol

Findings Information

🌟 Selected for report: Bauchibred

Also found by: 0x3b, 0xDetermination, 0xMosh, 0xScourgedev, 0xTheC0der, 0xTiwa, 0xWaitress, 0xdice91, 0xfusion, 0xpiken, 0xprinc, 0xweb3boy, ArmedGoose, Aymen0909, Breeje, Brenzee, Daniel526, DavidGiladi, DeFiHackLabs, Flora, Fulum, HChang26, Hama, IceBear, J4X, Krace, KrisApostolov, Maroutis, Mirror, MohammedRizwan, Norah, PwnStars, SPYBOY, TangYuanShen, Testerbot, ThreeSigma, Tricko, al88nsk, alexweb3, ast3ros, berlin-101, bin2chen, blutorque, btk, d3e4, deth, e0d1n, ether_sky, ge6a, gkrastenov, glcanvas, hals, imare, inzinko, jkoppel, jnforja, joaovwfreire, josephdara, kutugu, lotux, lsaudit, mahdirostami, merlin, n1punp, nadin, neumo, nisedo, nobody2018, oakcobalt, orion, peanuts, pep7siup, pina, ptsanev, rokinot, rvierdiiev, said, santipu_, sashik_eth, seerether, squeaky_cactus, terrancrypt, tonisives, twicek, vagrant, xAriextz, y4y

Awards

4.3669 USDC - $4.37

Labels

bug
disagree with severity
downgraded by judge
grade-b
primary issue
QA (Quality Assurance)
sponsor confirmed
Q-80

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L40

Vulnerability details

Impact

calculateAPR will return incorrect and misleading numbers.

Proof of Concept

Some chains like Optimism & opBNB may have non-deterministic block time (so the number of blocks produced in a year may change). This means that the calculateAPR (likely a view function for frontend) -- which relies upon the block time -- may display incorrect numbers, leading to a potentially false advertisement.

Tools Used

Manual Review

  • Avoid using the number of blocks in a year, but rather just interpolate the APR directly from 1 year time.

Assessed type

Other

#0 - 0xRobocop

2023-10-06T01:35:55Z

Consider QA

#1 - c4-pre-sort

2023-10-06T01:35:59Z

0xRobocop marked the issue as low quality report

#2 - c4-pre-sort

2023-10-06T01:37:54Z

0xRobocop marked the issue as primary issue

#3 - c4-pre-sort

2023-10-06T01:37:58Z

0xRobocop marked the issue as high quality report

#4 - c4-pre-sort

2023-10-07T00:44:15Z

0xRobocop marked the issue as remove high or low quality report

#5 - c4-sponsor

2023-10-24T16:00:53Z

chechu marked the issue as disagree with severity

#6 - chechu

2023-10-24T16:01:38Z

Consider QA.

calculateAPR and estimateAPR return values that should be considered estimations. They consider the current situation of the contract, in the current block, but there are a lot of external factors that will affect these estimations. For example, if another user withdraws their XVS, the sum of scores will change and the APR of our user will change.

#7 - c4-sponsor

2023-10-24T18:36:59Z

chechu (sponsor) confirmed

#8 - c4-judge

2023-10-31T20:42:31Z

fatherGoose1 changed the severity to QA (Quality Assurance)

#9 - fatherGoose1

2023-10-31T20:43:33Z

Agree with QA. The functions provide estimations of APR. All APRs across DeFi are estimations that vary often upon changing other underlying factors.

#10 - c4-judge

2023-11-03T01:43:12Z

fatherGoose1 marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter