Back to p4st13r4's contests

Amun contest - p4st13r4's results

We build tokens to make it easy to invest in crypto.

General Information

Platform: Code4rena

Start Date: 13/12/2021

Pot Size: $75,000 USDC

Total HM: 11

Participants: 30

Period: 7 days

Judge: leastwood

Total Solo HM: 4

Id: 68

League: ETH

Amun

Findings Distribution

Researcher Performance

Rank: 17/30

Findings: 4

Award: $739.46

šŸŒŸ Selected for report: 1

šŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAmun

Findings Information

šŸŒŸ Selected for report: pmerkleplant

Also found by: WatchPug, certora, hyh, p4st13r4, pauliax, robee

Labels

bug
duplicate
2 (Med Risk)

Awards

228.0947 USDC - $228.09

External Links

Link to GitHub issue

Handle

p4st13r4

Vulnerability details

Impact

An attacker can perform a DoS attack by sending a small quantity of outputToken on SingleTokenJoin. Affected code is at https://github.com/code-423n4/2021-12-amun/blob/main/contracts/basket/contracts/singleJoinExit/SingleTokenJoin.sol#L134

More details: https://github.com/crytic/slither/wiki/Detector-Documentation#dangerous-strict-equalities

Tools Used

Editor

Possible mitigation: Consider renaming outputAmount to minOutputAmount and changing the require to:

require(minOutputAmount >= _joinTokenStruct.outputAmount, "FAILED_OUTPUT_AMOUNT")

#0 - loki-sama

2022-01-03T09:27:10Z

duplicate #81

Findings Information

šŸŒŸ Selected for report: cmichel

Also found by: JMukesh, WatchPug, defsec, p4st13r4

Labels

bug
duplicate
2 (Med Risk)

Awards

394.2378 USDC - $394.24

External Links

Link to GitHub issue

Handle

p4st13r4

Vulnerability details

Impact

Standard ERC20 tokens return a boolean when transfer method is called. A check should be done to account for ERC20 tokens that are not compliant to the standard.

Proof of Concept

Relevant lines:

Tools Used

Editor

Check transfer return value, or use Openzeppelinā€™ safeTransfer

#0 - loki-sama

2022-01-04T10:30:33Z

duplicate #232

#1 - 0xleastwood

2022-01-22T04:09:08Z

Duplicate of #192

Findings Information

šŸŒŸ Selected for report: GiveMeTestEther

Also found by: JMukesh, Ruhum, WatchPug, certora, cmichel, kenzo, p4st13r4, pauliax, robee

Labels

bug
duplicate
1 (Low Risk)

Awards

38.7989 USDC - $38.80

External Links

Link to GitHub issue

Handle

p4st13r4

Vulnerability details

Impact

Contracts in the folder basket/contracts/singleJoinExit makes use of unsafe address.transfer() method.

The use of such function could have unintended outcomes on the eth being sent to the receiver. Funds can potentially be lost if:

  1. The smart contract fails to implement the payable fallback function
  2. The fallback function uses more than 2300 gas units

The latter situation may occur in the instance of gas cost changes. The impact would mean that any contracts receiving funds would potentially be unable to retrieve funds

Proof of Concept

Affected lines are here:

  • contracts/basket/contracts/singleJoinExit/EthSingleTokenJoin.sol:37
  • contracts/basket/contracts/singleJoinExit/EthSingleTokenJoinV2.sol:37
  • contracts/basket/contracts/singleJoinExit/SingleNativeTokenExit.sol:93
  • contracts/basket/contracts/singleJoinExit/SingleNativeTokenExitV2.sol:121

Tools Used

Editor

Consider using address.call{value: v}("") and checking the return value or Openzeppelin Address library instead

#0 - loki-sama

2021-12-29T11:46:52Z

Duplicate #231

#1 - 0xleastwood

2022-01-23T03:27:32Z

Duplicate of #175

Findings Information

šŸŒŸ Selected for report: p4st13r4

Labels

bug
G (Gas Optimization)

Awards

78.3316 USDC - $78.33

External Links

Link to GitHub issue

Handle

p4st13r4

Vulnerability details

Impact

If a rebalance is done in more than one transaction, locking the basket at each transaction can be avoided.

Proof of Concept

Tools Used

Editor

(a) ImplementĀ lock()Ā method inĀ RebalanceManager.sol,Ā RebalanceManagerV2.sol,Ā RebalanceManagerV3.solĀ as:

    function lock() external onlyRebalanceManager {
        basket.singleCall(
            address(basket),
            abi.encodeWithSelector(basket.setLock.selector, _block),
            0
        );
    }

Effectively makingĀ lockBasketDataĀ not needed.RebalanceManager.sol,Ā RebalanceManagerV2.solĀ will need a new constructor argumentĀ uint256 _lockTimeĀ and a new state variableĀ uint256 public lockTime.

(b) InĀ RebalanceManager.sol,Ā RebalanceManagerV2.sol,Ā RebalanceManagerV3.solĀ remove the lineĀ lockBasketData(block.number + 30)Ā at the beginning ofĀ rebalanceĀ method.

(c) OnĀ rebalanceĀ method first line inĀ RebalanceManager.sol,Ā RebalanceManagerV2.solĀ addĀ require(basket.getLock(), "REQUIRE_LOCK")Ā (as in contracts/basket/contracts/callManagers/RebalanceManagerV3.sol)

When performing a rebalance:

(d) CallĀ RebalanceManager.lock().

(e) Perform the rebalance using theĀ rebalance()Ā method.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Ā© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter