Back to poirots's contests

ParaSpace contest - poirots's results

The First Ever Cross-Margin NFT Financialization Protocol.

General Information

Platform: Code4rena

Start Date: 28/11/2022

Pot Size: $192,500 USDC

Total HM: 33

Participants: 106

Period: 11 days

Judge: LSDan

Total Solo HM: 15

Id: 186

League: ETH

ParaSpace

Findings Distribution

Researcher Performance

Rank: 21/106

Findings: 1

Award: $1,219.66

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryParaSpace

Findings Information

🌟 Selected for report: Franfran

Also found by: __141345__, poirots

Labels

bug
3 (High Risk)
partial-50
duplicate-455

Awards

1219.6604 USDC - $1,219.66

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol#L241-L277

Vulnerability details

Impact

The general idea of this snippet is to compute the square root of a price ratio:

price0price1\sqrt{\frac{price_0}{price_1}}

The first case (decimals are equal) adds an adjustment which is meant to preserve the final value in wei

Note: we intentionaly skip here the 2**92 component, to keep the formulas here succint.

price0βˆ—1018price1βˆ—1018β€…β€ŠβŸΊβ€…β€Šprice0βˆ—1018price1109\sqrt{\frac{price_0 * 10^{18}}{price_1 * 10^{18}}} \iff \frac{\sqrt{\frac{price_0 * 10^{18}}{price_1}}}{10^9}

However, for the last case (oracleData.token1Decimal < oracleData.token0Decimal), the given formula appears different from the one that would be reached in the process above:

price0βˆ—1018+d0βˆ’d1price1βˆ—1018+d0=d1β€…β€ŠβŸΊβ€…β€Šprice0βˆ—1018+d0βˆ’d1price1βˆ—11018+d0βˆ’d1\sqrt{\frac{price_0 * 10^{18 + d_0 - d_1}}{price_1 * 10^{18 + d_0 = d_1}}} \iff \sqrt{\frac{price_0 * 10^{18+d_0-d_1}}{price_1}} * \sqrt{\frac{1}{10^{18+d_0 - d_1}}}

It seems the square root was incorrectly ignored on the last branch, since the second component doesn’t match the code 1 / 10^(9 + d0 = d1) (It both misses the square root, and transforms the 18 into a 9 incorrectly)

Tools Used

Manual analysis. Pen & paper. Excel

#0 - c4-judge

2022-12-20T16:38:31Z

dmvt marked the issue as duplicate of #237

#1 - c4-judge

2023-01-09T13:46:40Z

dmvt marked the issue as partial-50

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter