Back to peanuts's contests

Tigris Trade contest - peanuts's results

A multi-chain decentralized leveraged exchange featuring instant settlement and guaranteed price execution on 30+ pairs.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $90,500 USDC

Total HM: 35

Participants: 84

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 12

Id: 192

League: ETH

Tigris Trade

Findings Distribution

Researcher Performance

Rank: 79/84

Findings: 1

Award: $1.15

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTigris Trade

Findings Information

🌟 Selected for report: 0xA5DF

Also found by: 0xA5DF, 0xNazgul, 0xSmartContract, 0xbepresent, 0xdeadbeef0x, 8olidity, Englave, Faith, HE1M, JohnnyTime, Madalad, Mukund, Ruhum, SmartSek, __141345__, aviggiano, carlitox477, cccz, chaduke, francoHacker, gz627, gzeon, hansfriese, hihen, imare, jadezti, kwhuo68, ladboy233, orion, peanuts, philogy, rbserver, wait, yjrwkk

Awards

1.1472 USDC - $1.15

Labels

bug
2 (Med Risk)
satisfactory
sponsor acknowledged
duplicate-377

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/GovNFT.sol#L307-L309 https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L349-L355

Vulnerability details

Impact

Malicious owner can deny service of whole protocol by disallowing all assets or simply not including them

Proof of Concept

Owner has to add asset in order to use the asset in BondNFT.sol

function addAsset(address _asset) external onlyOwner {
    require(assets.length == 0 || assets[assetsIndex[_asset]] != _asset, "Already added");
    assetsIndex[_asset] = assets.length;
    assets.push(_asset);
    allowedAsset[_asset] = true;
    epoch[_asset] = block.timestamp/DAY;
}

Owner can also editAsset in Lock.sol

function editAsset(
    address _tigAsset,
    bool _isAllowed
) external onlyOwner() {
    allowedAssets[_tigAsset] = _isAllowed;
}

Likewise, in GovNFT.sol, owner can setAllowedAsset

function setAllowedAsset(address _asset, bool _bool) external onlyOwner {
    _allowedAsset[_asset] = _bool;
}

Tools Used

Manual Review

Usage of a DAO, or some assets can already be in play, or a series of multisig address to counter the centralization issue.

#0 - TriHaz

2023-01-09T16:59:02Z

We are aware of the centralization risks, initially, all contracts will have a multi-sig as owner to prevent a sole owner, later on a DAO could be the owner.

#1 - c4-sponsor

2023-01-09T16:59:06Z

TriHaz marked the issue as sponsor acknowledged

#2 - c4-judge

2023-01-15T14:00:57Z

GalloDaSballo marked the issue as duplicate of #377

#3 - c4-judge

2023-01-22T17:33:36Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter