Back to pavankv's contests

Popcorn contest - pavankv's results

A multi-chain regenerative yield-optimizing protocol.

General Information

Platform: Code4rena

Start Date: 31/01/2023

Pot Size: $90,500 USDC

Total HM: 47

Participants: 169

Period: 7 days

Judge: LSDan

Total Solo HM: 9

Id: 211

League: ETH

Popcorn

Findings Distribution

Researcher Performance

Rank: 104/169

Findings: 2

Award: $40.06

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPopcorn

Findings Information

🌟 Selected for report: csanuragjain

Also found by: 0xNazgul, 0xNineDec, 0xSmartContract, 0xdeadbeef0x, Bauer, Deivitto, Josiah, KIntern_NA, RaymondFam, Rolezn, UdarTeam, Viktor_Cortess, btk, joestakey, koxuan, pavankv, rbserver, rvi0x

Awards

4.5833 USDC - $4.58

Labels

bug
2 (Med Risk)
partial-50
sponsor confirmed
edited-by-warden
duplicate-503

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L153

Vulnerability details

Impact

A transfer-on-fee token or a deflationary/rebasing token, causing the received amount to be less than the accounted amount. For instance, a deflationary tokens might charge a certain fee for every transfer()/transferFrom() or safeTransfer()/safeTransferFrom() .

Summary

User calls _deposit(address,address,100,100) if assets is deflationary tokens or transfer-on-fee tokens ,AdapterBase.sol receives only 99 due to transfer-on-fee tokens .And in line AdapterBase.sol#L156 it takes direct assets from parameter as 100 but in reality AdapterBase.sol receives only 99 , protocolDeposit() consider 100 tokens only.

Proof of Concept

Below mentioned line also have same issue https://github.com/code-423n4/2023-01-popcorn//blob/main/src/utils/MultiRewardEscrow.sol#L100 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L153 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L230 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/VaultController.sol#L170 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/Vault.sol#L153 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/Vault.sol#L193 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/VaultController.sol#L457

Tools Used

Manual View

To mitigate this issue maintain before and after balance

change to :-

uint balBefore = balanceOf(address(this)); IERC20(asset()).safeTransferFrom(caller, address(this), assets); uint balAfter = balanceOf(address(this)); uint received = balAfter-balBefore; _protocolDeposit(received, shares);

Here _protocolDeposit() get exact amount tokens received .

Reference:-

https://github.com/code-423n4/2022-12-prepo-findings/issues/13

#0 - c4-judge

2023-02-16T07:06:58Z

dmvt marked the issue as duplicate of #44

#1 - c4-sponsor

2023-02-18T11:48:50Z

RedVeil marked the issue as sponsor confirmed

#2 - c4-judge

2023-02-23T00:44:46Z

dmvt marked the issue as partial-50

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x3b, 0xAgro, 0xBeirao, 0xMirce, 0xNineDec, 0xRobocop, 0xSmartContract, 0xTraub, 0xWeiss, 2997ms, 41i3xn, Awesome, Aymen0909, Bauer, Bnke0x0, Breeje, Cryptor, DadeKuma, Deathstore, Deekshith99, DevABDee, DevTimSch, Dewaxindo, Diana, Ermaniwe, Guild_3, H0, IceBear, Inspectah, JDeryl, Kaiziron, Kaysoft, Kenshin, Mukund, Praise, RaymondFam, Rickard, Rolezn, Ruhum, Sathish9098, SkyWalkerMan, SleepingBugs, UdarTeam, Udsen, Walter, aashar, adeolu, apvlki, arialblack14, ast3ros, btk, chaduke, chandkommanaboyina, chrisdior4, climber2002, codetilda, cryptonue, cryptostellar5, csanuragjain, ddimitrov22, descharre, dharma09, doublesharp, eccentricexit, ethernomad, fs0c, georgits, halden, hansfriese, hashminer0725, immeas, lukris02, luxartvinsec, matrix_0wl, merlin, mookimgo, mrpathfindr, nadin, olegthegoat, pavankv, rbserver, rebase, savi0ur, sayan, scokaf, seeu, shark, simon135, tnevler, tsvetanovv, ulqiorra, ustas, waldenyan20, y1cunhui, yongskiws, yosuke

Awards

35.4779 USDC - $35.48

Labels

bug
grade-b
QA (Quality Assurance)
edited-by-warden
Q-102

External Links

Link to GitHub issue

1 . Include return parameters in NatSpec comments

It is recommended that Solidity contracts are fully annotated using NatSpec for all public interfaces (everything in the ABI). It is clearly stated in the Solidity official documentation. In complex projects such as Defi, the interpretation of all functions and their arguments and returns is important for code readability and auditability.

https://docs.soliditylang.org/en/v0.8.15/natspec-format.html

If Return parameters are declared, you must prefix them with ”/// @return”.

Some code analysis programs do analysis by reading NatSpec details, if they can’t see the “@return” tag, they do incomplete analysis. Recommended Mitigation Steps Include return parameters in NatSpec comments

codesnippet:- https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L89 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L110 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L129 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L147 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L173 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L193 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/VaultController.sol#L203 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/VaultController.sol#L242

2 .Add Zero check for shares :-

code snippet:- https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L129 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L118 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L129

3 . modifiers should be use only for external or public not internal functions :-

modifiers should be use only for external or public not internal functions because internal function can call by internal only so add to deposit() in line AdapterBase.sol#L110. Internals cannot called by external users so add to exteranl function only to mint() , deposit() and other .

code snippet:- https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L152

4 .Events should emit after operation :-

In below mentioned code emit should after operation because if adapter didn't approve but event emitted changed adapter .

code snippeT:- https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/Vault.sol#L606

5.Remove empty blocks to save gas:-

Remove empty blocks because while deploying even single letter will consume the gas .

code snippet:- https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/Vault.sol#L477

6 . No events for changes :-

In changeRewardSpeed() changes the reward speed but no events to emit ,it a good practice to add event to changes.

code snippet:- https://github.com/code-423n4/2023-01-popcorn//blob/main/src/utils/MultiRewardStaking.sol#L296

#0 - c4-judge

2023-02-28T14:58:00Z

dmvt marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter