Back to nalus's contests

Y2k Finance contest - nalus's results

A suite of structured products for assessing pegged asset risk.

General Information

Platform: Code4rena

Start Date: 14/09/2022

Pot Size: $50,000 USDC

Total HM: 25

Participants: 110

Period: 5 days

Judge: hickuphh3

Total Solo HM: 9

Id: 162

League: ETH

Y2k Finance

Findings Distribution

Researcher Performance

Rank: 37/110

Findings: 2

Award: $163.57

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryY2k Finance

Findings Information

🌟 Selected for report: rbserver

Also found by: Chom, ak1, nalus, robee

Labels

bug
duplicate
2 (Med Risk)
sponsor disputed
partial-25

Awards

155.5605 USDC - $155.56

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L407 https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L400 https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L419

Vulnerability details

Multiplication should be used after division, otherwise, the rounding error calculated after division is multiplied, causing a high deviation from the actual result.

Example: 17 / 9 * 1000 equals to 1888.. But in the contract (since it rounds down after division), it would return 1000. making it an 88% deviation.

Division should therefore be placed at the end of the equation to minimize the error.

#0 - 3xHarry

2022-09-22T10:34:22Z

@MiguelBits i agree with this

#1 - MiguelBits

2022-09-23T17:52:11Z

the thing is I have to do the division first, to calculate the percentage the user owns of the vault, and only after multiply by the amount to be claimed

#2 - HickupHH3

2022-10-18T03:45:42Z

Disagree with the issue:

x.divWadDown(y).mulDivDown(z, a)
= x * WAD / y * z / a

is in the correct order of doing multiplication first, then div.

#3 - HickupHH3

2022-10-18T09:36:37Z

weak dup of #378

The mistake I made was that y might be greater than x * WAD. Best to simplify the it as how #378 suggested.

Findings Information

🌟 Selected for report: 0x1f8b

Also found by: 0x4non, Chom, JC, Jeiwan, Lambda, PwnPatrol, Rolezn, ak1, async, cryptphi, csanuragjain, datapunk, hyh, ladboy233, leosathya, nalus, pashov, scaraven, unforgiven

Awards

8.0071 USDC - $8.01

Labels

bug
duplicate
2 (Med Risk)
resolved
sponsor confirmed
satisfactory

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/oracles/PegOracle.sol#L63

Vulnerability details

Oracles can not always be trusted as they can be corrupt or send faulty data. Therefore data received from oracles should be validated. This has been done when receiving data in getOracle2_Price(), but not when receiving data from Oracle1.

If Oracle would for some reason stop feeding new prices, SC would see it as currency de-pegging and consequentially sending funds to the wrong actors.

#0 - HickupHH3

2022-10-18T03:25:20Z

dup #61

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter