Back to peritoflores's contests

JPEG'd contest - peritoflores's results

Bridging the gap between DeFi and NFTs.

General Information

Platform: Code4rena

Start Date: 07/04/2022

Pot Size: $100,000 USDC

Total HM: 20

Participants: 62

Period: 7 days

Judge: LSDan

Total Solo HM: 11

Id: 107

League: ETH

JPEG'd

Findings Distribution

Researcher Performance

Rank: 61/62

Findings: 1

Award: $25.78

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryJPEG'd

Findings Information

🌟 Selected for report: cccz

Also found by: 0xDjango, 0xkatana, Cr4ckM3, JMukesh, Jujic, Ruhum, WatchPug, berndartmueller, defsec, horsefacts, hyh, joshie, pedroais, peritoflores, rayn, reassor

Awards

25.7805 USDC - $25.78

Labels

bug
duplicate
2 (Med Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/FungibleAssetVaultForDAO.sol#L105

Vulnerability details

Impact

Usage of deprecated chainlink function to get collateral price.

Proof of Concept

The Chainlink API (latestAnswer) used in the FungibleAssetVaultForDAO contract is deprecated:

https://web.archive.org/web/20210304160150/https://docs.chain.link/docs/deprecated-aggregatorinterface-api-reference

This method returns the last value but that value cannot be fully updated. New V3 API is much more complete and allow you to make more checks. For example when was that price updated.

https://docs.chain.link/docs/price-feeds-api-reference/

Tools Used

Manual code review

Use latestRoundData() function to get the price instead and perform proper checks.

#0 - spaghettieth

2022-04-14T13:01:39Z

Duplicate of #4

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter