Platform: Code4rena
Start Date: 14/06/2022
Pot Size: $100,000 USDC
Total HM: 26
Participants: 59
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 9
Id: 133
League: ETH
Rank: 10/59
Findings: 10
Award: $3,134.46
π Selected for report: 2
π Solo Findings: 0
π Selected for report: Soosh
Also found by: 0x1f8b, Ruhum, TerrierLover, WatchPug, cccz, csanuragjain, hake, p4st13r4, zzzitron
782.2807 CANTO - $126.34
126.3383 USDC - $126.34
Affected code:
The function AddProposal() allows anyone to manipulate the mapping of proposals, which means that anyone is able to add new proposals, as well as to replace existing ones. This is malicious behaviour which could led to governance wrongdoings
Editor
The function is possibly missing some access control guard. Anyway, the contract should keep a lastProposal variable, use it anytime a new proposal is created, and increment it later
#0 - tkkwon1998
2022-06-22T19:45:28Z
Duplicate of #26
#1 - GalloDaSballo
2022-08-10T22:14:19Z
Dup of #26
2649.5985 CANTO - $427.91
427.9102 USDC - $427.91
https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/CNote.sol#L43 https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/CNote.sol#L54 https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/CNote.sol#L114 https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/CNote.sol#L198 https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/CNote.sol#L214 https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/CNote.sol#L310
Affected code:
When calling borrowFresh(), the contract checks that initial balance of Note for the contract itself is zero and that after the mint the balance is exactly equal to the mint amount. This is very dangerous because an attacker could transfer 1 wei to the contract and make impossible for everybody to actually borrow any money.
This checks are spread into all the other functions of the contract: repayBorrowFresh(), mintFresh(), redeemFresh(). The impact is exactly the same (DOS), but during different phases of the interactions with the contract.
1 wei of Note to CNote.sol contractborrowFresh has the tx revert with the reason CNote::borrowFresh:Impossible reserves in CNote market PlaceEditor
Remove the checks for zero amounts, and transform the == checks into >= checks
#0 - ecmendenhall
2022-06-21T22:51:24Z
#1 - tkkwon1998
2022-06-22T19:47:33Z
Duplicate of #227
π Selected for report: p4st13r4
Also found by: Ruhum, TerrierLover, WatchPug, hansfriese, zzzitron
320.9326 USDC - $320.93
1987.1989 CANTO - $320.93
Affected code:
WETH.sol is almost copied from the infamous WETH contract that lives in mainnet. This contract is supposed to receive the native currency of the blockchain (for example ETH) and wrap it into a tokenized, ERC-20 form. This contract computes the totalSupply() using the balance of the contract itself stored in the balanceOf mapping, when instead it should be using the native balance function. This way, totalSupply() always returns zero as the WETH contract itself has no way of calling deposit to itself and increase its own balance
WETH.solbalanceOf() for her address and it returns 100 WETHtotalSupply(), expecting to see 100 WETH, but it returns 0Editor
function totalSupply() public view returns (uint) { return address(this).balance }
#0 - GalloDaSballo
2022-08-10T22:31:43Z
The warden has shown how, due to a programming mistake, the WETH totalSupply will be incorrect.
Mitigation seems straightforward, however, because the vulnerability would have causes totalSupply to return 0, and shows a broken functionality for a core contract, I think High Severity to be appropriate
#1 - auditor0517
2022-08-15T08:05:24Z
I think #218 is a different issue from #191. #218 is for WETH.allowance() and #191 is for WETH.totalSupply().
#2 - auditor0517
2022-08-15T08:07:55Z
I see GalloDaSballo said that #218 should be High with the similar reason of #191.
427.9102 USDC - $427.91
2649.5985 CANTO - $427.91
Affected code:
The function _mint_to_Accountant() is supposed to be called after contract initialization, so that the accountant is immediately set and all the tokens are mint to them. However, this function completely lacks any access control (itβs just external) so an attacker can monitor the mempool and frontrun the transaction in order to become accountant and own all the Note tokens
Editor
The function should have a guard that regulates access control
#0 - tkkwon1998
2022-06-22T19:46:51Z
Duplicate of #173
#1 - GalloDaSballo
2022-08-12T00:34:01Z
Dup of #173
264.1421 USDC - $264.14
1635.5547 CANTO - $264.14
Affected code:
The function _setAccountantContract() is supposed to be called after contract initialization, so that the accountant is immediately set. However, this function completely lacks any access control (itβs just public) so an attacker can monitor the mempool and frontrun the transaction in order to become both accountant and admin
Editor
The function should:
admin too, which is dangerous and out of scope#0 - GalloDaSballo
2022-08-04T17:32:25Z
Frontrunnable Initializer without POC (is impact having to re-deploy?)
Pretty confident will downgrade
#1 - GalloDaSballo
2022-08-12T00:32:54Z
The warden has shown how, due to front-running, anyone can become the accountant, with the information I have I think the worst case scenario is a re-deploy.
Because the setter could have been written in a better way, but because the realistic consequence is a re-deploy I think Medium Severity to be more appropriate