Back to p4st13r4's contests

FactoryDAO contest - p4st13r4's results

The DAO that builds DAOs.

General Information

Platform: Code4rena

Start Date: 04/05/2022

Pot Size: $50,000 DAI

Total HM: 24

Participants: 71

Period: 5 days

Judge: Justin Goro

Total Solo HM: 14

Id: 119

League: ETH

FactoryDAO

Findings Distribution

Researcher Performance

Rank: 71/71

Findings: 1

Award: $3.18

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFactoryDAO

Findings Information

🌟 Selected for report: MaratCerby

Also found by: 0x1337, 0x52, 0xYamiDancho, AuditsAreUS, CertoraInc, Dravee, GimelSec, IllIllI, PPrieditis, Ruhum, TrungOre, VAD37, berndartmueller, cccz, csanuragjain, defsec, hickuphh3, horsefacts, hyh, jayjonah8, kenzo, leastwood, mtz, p4st13r4, reassor, throttle, wuwe1, ych18

Awards

3.1753 DAI - $3.18

Labels

bug
duplicate
2 (Med Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L144 https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/MerkleVesting.sol#L173

Vulnerability details

Impact

Most of the FactoryDAO code use no external dependencies. When handling ERC-20 transfers, the IERC20.sol interface is imported and basic methods like transfer or transferFrom are called throughout the codebase.

However, this may lead to some issues when dealing with non ERC-20 compliant tokens such as USDT, which return void instead of boolean in transfer functions. So the following lines of code would revert if an user wanted to init a pool using USDT:

function fundPool(uint poolId) internal {
    Pool storage pool = pools[poolId];
    bool success = true;
    uint amount;
    for (uint i = 0; i < pool.rewardFunding.length; i++) {
        amount = getMaximumRewards(poolId, i);
        // transfer the tokens from pool-creator to this contract
        success = success && IERC20(pool.rewardTokens[i]).transferFrom(msg.sender, address(this), amount);
        // bookkeeping to make sure pools don't share tokens
        pool.rewardFunding[i] += amount;
    }
    require(success, 'Token deposits failed');
}

This snippet is taken from PermissionlessBasicPoolFactory.sol but similar ones are used in many places around the codebase where the result of transferFrom is always checked. Everywhere the returned value is checked, except for MerkleVesting.sol: https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/MerkleVesting.sol#L173

The codebase contains many comments regarding malicious tokens etc, but in this case, the current implementation would prevent using many non-malicious, widespread tokens such as USDT.

Tools Used

Editor

Use OZ SafeERC20 library which checks for non compliant tokens and handles them correctly. If using external libraries is out-of-scope, then write a small equivalent internal module that behaves the same as OZ’library

#0 - illuzen

2022-05-10T15:35:03Z

duplicate https://github.com/code-423n4/2022-05-factorydao-findings/issues/34

#1 - itsmetechjay

2022-05-12T19:07:56Z

Re-closing as duplicate.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter