Back to reassor's contests

Phuture Finance contest - reassor's results

Crypto index platform, that simplifies your investments through automated, themed index products.

General Information

Platform: Code4rena

Start Date: 19/04/2022

Pot Size: $30,000 USDC

Total HM: 10

Participants: 43

Period: 3 days

Judges: moose-code, JasoonS

Total Solo HM: 7

Id: 90

League: ETH

Phuture Finance

Findings Distribution

Researcher Performance

Rank: 41/43

Findings: 1

Award: $22.05

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPhuture Finance

Findings Information

🌟 Selected for report: cccz

Also found by: 0xkatana, Dravee, IllIllI, WatchPug, berndartmueller, defsec, fatima_naz, jah, kebabsec, kenta, pedroais, peritoflores, rayn, reassor, tabish

Awards

22.0499 USDC - $22.05

Labels

bug
duplicate
2 (Med Risk)

External Links

Link to GitHub issue

Lines of code

Vulnerability details

Impact

Protocol uses Chainlink as one of the oracles that provides prices for the assets. Chainlink's latestRoundData is used but the implementation is missing important security checks that can result in stale and incorrect prices being returned.

Proof of Concept

Tools Used

Manual Review / VSCode

It is recommended to add checks on the returned data of latestRoundData with proper revert messages if the price is stale or the round is incomplete, for example:

(
  roundId,
  rawPrice,
  ,
  updateTime,
  answeredInRound
) = baseAggregator.latestRoundData();
require(rawPrice > 0, "price <= 0");
require(updateTime != 0, "incomplete round");
require(answeredInRound >= roundId, "stale price");

#0 - olivermehr

2022-05-02T20:30:53Z

Duplicate issue of #1

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter