Platform: Code4rena
Start Date: 18/04/2024
Pot Size: $36,500 USDC
Total HM: 19
Participants: 183
Period: 7 days
Judge: Koolex
Id: 367
League: ETH
Rank: 152/183
Findings: 2
Award: $0.30
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Maroutis
Also found by: 0x486776, 0xShitgem, 0xabhay, 0xleadwizard, 0xlemon, 0xnilay, 0xtankr, 3docSec, AM, Aamir, Abdessamed, Al-Qa-qa, AlexCzm, Circolors, CodeWasp, Daniel526, Egis_Security, Emmanuel, Giorgio, Honour, Hueber, Infect3d, Krace, KupiaSec, LeoGold, Limbooo, PoeAudits, SBSecurity, SpicyMeatball, T1MOH, The-Seraphs, TheSavageTeddy, TheSchnilch, Topmark, VAD37, ZanyBonzy, adam-idarrha, bhilare_, btk, carlitox477, cinderblock, dimulski, falconhoof, grearlake, gumgumzum, iamandreiski, itsabinashb, josephdara, ke1caM, kennedy1030, ljj, n0kto, n4nika, neocrao, oakcobalt, petro_1912, pontifex, poslednaya, shaflow2, shikhar229169, web3km, ych18, zhaojohnson, zigtur
0.2831 USDC - $0.28
User can double deposit via providing the same Vault address to both Non-Kerosene and Kerosene Vaults lists if protocol will be deployed via provided Deploy.V2 script.
Protocol has 2 licensing system to approve vaults addresses.
To approve non-Kerosene Vaults there is Licencer-instance that deployed with VaultManagerV2.
To approve Kerosene Vaults there is KerosineManager.
In Deploy.V2.s.sol you add ethVault and wstEth to KerosineVaults. And also then you will licensing these vaults via VaultManagerV2 licenser.
In this case user can add same Vault to both vaults and keroseneVaults. And deposit will double when accounting via getTotalUsdValue because same vault will be accounted in both Kerosene/NonKerosene vaults.
// Deploy.V2.s.sol ... kerosineManager.add(address(ethVault)); kerosineManager.add(address(wstEth)); ... // KerosineManager ... EnumerableSet.AddressSet private vaults; ... // VaultManagerV2 function add(uint id, address vault) external isDNftOwner(id) { ... if (!vaultLicenser.isLicensed(vault)) revert VaultNotLicensed(); // passed ... } function addKerosene(uint id, address vault) external isDNftOwner(id) { ... if (!keroseneManager.isLicensed(vault)) revert VaultNotLicensed(); // passed ... } function getTotalUsdValue(uint id) public view returns (uint) { return getNonKeroseneValue(id) + getKeroseneValue(id); }
keroseneManager: https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/script/deploy/Deploy.V2.s.sol#L64
vaultLicenser: https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/script/deploy/Deploy.V2.s.sol#L95
Manual review.
Be care with mixing when approve Non-Kerosene and Kerosene Vaults. Don't add ethVault and wstEth to KeroseneManager, they should be added to VaultManagerV2 Licenser-instance. And don't add Kerosene Vaults to vaultLicenser.
Context
#0 - c4-pre-sort
2024-04-28T07:03:48Z
JustDravee marked the issue as duplicate of #966
#1 - c4-pre-sort
2024-04-29T08:37:39Z
JustDravee marked the issue as sufficient quality report
#2 - c4-judge
2024-05-04T09:46:25Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#3 - c4-judge
2024-05-29T11:19:52Z
koolexcrypto marked the issue as duplicate of #1133
#4 - c4-judge
2024-05-29T14:03:45Z
koolexcrypto marked the issue as satisfactory
🌟 Selected for report: MrPotatoMagic
Also found by: 0x175, 0x486776, 0x77, 0xAkira, 0xAsen, 0xDemon, 0xabhay, 0xblack_bird, 0xlemon, 0xloscar01, 0xtankr, 3docSec, 4rdiii, Abdessamed, AlexCzm, Angry_Mustache_Man, BiasedMerc, Circolors, Cryptor, DMoore, DPS, DedOhWale, Dinesh11G, Dots, GalloDaSballo, Giorgio, Honour, Imp, Jorgect, Krace, KupiaSec, Mrxstrange, NentoR, Pechenite, PoeAudits, Ryonen, SBSecurity, Sabit, T1MOH, TheFabled, TheSavageTeddy, Tychai0s, VAD37, Vasquez, WildSniper, ZanyBonzy, adam-idarrha, alix40, asui, blutorque, btk, c0pp3rscr3w3r, caglankaan, carrotsmuggler, d_tony7470, dimulski, dinkras, djxploit, falconhoof, forgebyola, grearlake, imare, itsabinashb, josephdara, kartik_giri_47538, ke1caM, kennedy1030, koo, lionking927, ljj, niser93, pep7siup, poslednaya, ptsanev, sashik_eth, shaflow2, steadyman, turvy_fuzz, ubl4nk, valentin_s2304, web3km, xyz, y4y, zhaojohnson, zigtur
0.0234 USDC - $0.02
In VaultManager::withdraw() there is check idToBlockOfLastDeposit[id] == block.number to prevent deposit/withdraw in the same block. Malicious user can frontrun user withdrawal transaction with his VaultManager::deposit() and pass id of user's NFT and amount eq 1 Wei. So the user's withdraw transaction will revert because check for block.number will not passing.
Because there is no minimum amount of deposit and protocol allows anyone to deposit to any Vault (isValidDNft(id) doesn't check msg.sender)- malicious actor can DoS any Vault at any time, including the administrator's Vaults.
Manual review.
Consider to add minimum amount of deposit to make this attack unprofitable for attacker and profitable to Vault owner.
DoS
#0 - c4-pre-sort
2024-04-27T11:49:13Z
JustDravee marked the issue as duplicate of #489
#1 - c4-pre-sort
2024-04-29T09:32:00Z
JustDravee marked the issue as sufficient quality report
#2 - c4-judge
2024-05-05T20:38:13Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#3 - c4-judge
2024-05-05T20:39:23Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#4 - c4-judge
2024-05-05T21:20:00Z
koolexcrypto marked the issue as nullified
#5 - c4-judge
2024-05-05T21:20:07Z
koolexcrypto marked the issue as not nullified
#6 - c4-judge
2024-05-08T15:28:13Z
koolexcrypto marked the issue as duplicate of #1001
#7 - c4-judge
2024-05-11T19:50:34Z
koolexcrypto marked the issue as satisfactory
#8 - c4-judge
2024-05-13T18:34:30Z
koolexcrypto changed the severity to 3 (High Risk)