Back to pedroais's contests

Phuture Finance contest - pedroais's results

Crypto index platform, that simplifies your investments through automated, themed index products.

General Information

Platform: Code4rena

Start Date: 19/04/2022

Pot Size: $30,000 USDC

Total HM: 10

Participants: 43

Period: 3 days

Judges: moose-code, JasoonS

Total Solo HM: 7

Id: 90

League: ETH

Phuture Finance

Findings Distribution

Researcher Performance

Rank: 8/43

Findings: 2

Award: $906.87

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPhuture Finance

Findings Information

🌟 Selected for report: cccz

Also found by: Kenshin, TrungOre, hyh, pedroais

Labels

bug
duplicate
3 (High Risk)

Awards

884.8186 USDC - $884.82

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-phuture/blob/594459d0865fb6603ba388b53f3f01648f5bb6fb/contracts/IndexLogic.sol#L48 https://github.com/code-423n4/2022-04-phuture/blob/594459d0865fb6603ba388b53f3f01648f5bb6fb/contracts/vToken.sol#L110

Vulnerability details

Impact

All funds will be lost

Proof of Concept

To mint new index tokens underlying tokens need to be deposited in Vtoken.sol and then call the mint function.

The mint function does balance-previousBalance to calculate tokens that were deposited. The previous balance can be updated with the sync() function that anyone can call. After the user deposits tokens, an attacker can call sync() and the previous balance will be equal to the current balance. Then he can deposit a small amount of tokens.

Finally, if the user mints he will get the very small amount deposited by the attacker and his funds will be lost since the function will only deposit what was sent after the sync() function is called.

This is solved by doing the transfer and mint in only one transaction. In talks with the sponsor they said this is done in a contract that's outside scope and wasn't provided to wardens so I consider this a valid issue within the provided contracts.

Do transfer of underlying and mint in a single transaction.

#0 - olivermehr

2022-05-02T20:31:37Z

Duplicate issue of #19

Findings Information

🌟 Selected for report: cccz

Also found by: 0xkatana, Dravee, IllIllI, WatchPug, berndartmueller, defsec, fatima_naz, jah, kebabsec, kenta, pedroais, peritoflores, rayn, reassor, tabish

Awards

22.0499 USDC - $22.05

Labels

bug
duplicate
2 (Med Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-phuture/blob/594459d0865fb6603ba388b53f3f01648f5bb6fb/contracts/ChainlinkPriceOracle.sol#L83

Vulnerability details

Impact

Oracle data can be stale which can lead to wrong calculations for balancing indexes.

Proof of Concept

When lastRoundData() is called only price is pulled from the provided data. RoundId should be checked to ensure the data is updated.

(uint roundID, int BasePrice, , uint timestamp, uint answeredInRound) = baseAggregator.latestRoundData();
require(daiPrice > 0, "ChainLink: DAI price <= 0");
require(answeredInRound >= roundID, "ChainLink: Stale price");
require(timestamp > 0, "ChainLink: Round not complete");

#0 - olivermehr

2022-05-02T20:26:19Z

Duplicate of issue #1

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter