Platform: Code4rena
Start Date: 13/11/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 120
Period: 4 days
Judge: 0xTheC0der
Id: 306
League: ETH
Rank: 14/120
Findings: 1
Award: $690.37
🌟 Selected for report: 0
🚀 Solo Findings: 0
690.3741 USDC - $690.37
The cNote token which is a fork of the CToken contract has a scaling method used to handle the exchange rate between CToken and the underlying token. This method helps scale the exchange rate because solidity doesn't handle fixed-point decimals. The formulae used to calculate the scaling factor is:(10^(10+decimals of the underlying)) In the case of the cNote the scaling factor would result in 10e28.
The bug is noted because the cNote exchange-rate is actually scaled by 1e18, which would always result in an underflow error potentially leading to a permanent DOS.
//SPDX-License-Identifier:UNLICENSED pragma solidity ^0.8;
import "forge-std/Test.sol"; import "src/asD.sol";
contract asDTest is Test { CErc20Interface cNote = CErc20Interface(0xEe602429Ef7eCe0a13e4FfE8dBC16e101049504C);
IERC20 Note = IERC20(0x4e71A2E537B7f9D9413D3991D37958c0b5e1e503); asD asd; address alice = makeAddr("Alice"); function setUp() external { vm.createSelectFork(vm.envString("CANTO_RPC_URL")); asd = new asD(" ASD-Token", "asD", address(this), address(cNote), address(this)); } function testUnderflow() external { //make a deposit vm.startPrank(alice); //deal alice some Note Tokens to deposit deal(address(Note), alice, 10e18); //approve the asd contract Note.approve(address(asd), 10e18); asd.mint(10e18); vm.stopPrank(); //calling withdrawCarry() should revert with an underflow error vm.expectRevert(); //withdrawal should result in a revert asd.withdrawCarry(1); }
} //logs [PASS] testUnderflow() (gas: 476608) Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 27.46s
Foundry
set scaling factor to 1e18
Other
#0 - c4-pre-sort
2023-11-18T16:34:54Z
minhquanym marked the issue as duplicate of #227
#1 - c4-judge
2023-11-28T22:58:08Z
MarioPoneder marked the issue as satisfactory