Back to rokinot's contests

Swivel v3 contest - rokinot's results

The Capital-Efficient Protocol For Fixed-Rate Lending.

General Information

Platform: Code4rena

Start Date: 12/07/2022

Pot Size: $35,000 USDC

Total HM: 13

Participants: 78

Period: 3 days

Judge: 0xean

Total Solo HM: 6

Id: 135

League: ETH

Swivel

Findings Distribution

Researcher Performance

Rank: 18/78

Findings: 3

Award: $177.79

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySwivel

Findings Information

🌟 Selected for report: bin2chen

Also found by: 0x52, 0xDjango, 0xSky, Picodes, auditor0517, rokinot, ronnyx2017, scaraven

Labels

bug
duplicate
2 (Med Risk)

Awards

106.8838 USDC - $106.88

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L620

Vulnerability details

Impact

The description of the function says "Allows users to redeem zcTokens and withdraw underlying, boiling up from the zcToken instead of starting on Swivel". In order for the function to be called, it needs to pass the modifier authorized(marketPlace), where marketPlace is the address of a deployed market place contract, but the MarketPlace.sol smart contract doesn't call this function anywhere, essentially turning it impossible to be reached by anyone, including the administrator, and unabling the tokens withdrawl.

Proof of Concept

#L620

  function authRedeemZcToken(uint8 p, address u, address c, address t, uint256 a) external authorized(marketPlace) returns(bool) {

Tools Used

Add a function to MarketPlace.sol which calls this function, or remove the modifier.

#0 - JTraversa

2022-07-20T07:41:06Z

Duplicate of #39

#1 - bghughes

2022-08-03T02:07:57Z

Duplicate of #39

Findings Information

🌟 Selected for report: joestakey

Also found by: 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 8olidity, Avci, Bahurum, Bnke0x0, Chom, ElKu, Funen, GimelSec, JC, Junnon, Kaiziron, Meera, PaludoX0, Picodes, ReyAdmirado, Sm4rty, Soosh, Waze, _Adam, __141345__, ak1, aysha, benbaessler, bin2chen, c3phas, cccz, cryptphi, csanuragjain, defsec, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, itsmeSTYJ, jonatascm, kyteg, mektigboy, oyc_109, pashov, rbserver, rishabh, robee, rokinot, sach1r0, sashik_eth, scaraven, simon135, slywaters

Awards

44.2633 USDC - $44.26

Labels

bug
QA (Quality Assurance)
wontfix

External Links

Link to GitHub issue

Non-critical

matureVault() returns a boolean value, but it's never checked anywhere in the code.

#L143

setFee() reverts if the input array has size larger than 4.

#L504

To fix this, check if the input array has size lower than 4.

Low risk

Operation reverts due to underflow until the admin sets maturityRate to a higher value

transferNotionalFrom() can transfer the exchangeRate to a different vault with lower maturityRate, which causes the yield calculation to revert until the admin sets maturityRate to a higher value. VaultTracker.sol

Multiple custom errors are impossible to reach

Some operations are using a boolean return value in order to revert using a custom error, but the functions they call either returns true (which passes the check) or reverts (which bypasses the if function), never calling the custom error.

#L229-L233 #L173-L176 #L134-L141 #L603-L606)

#0 - robrobbins

2022-08-11T00:19:59Z

  1. ok
  2. ok
  3. ?
  4. this is a common pattern. see ERC20

#1 - robrobbins

2022-08-11T00:20:59Z

adding maybe to revisit 3. WRT the vaulttracker.transferNotionalFrom comment. likely addressed elsewhere or a non issue but..

#2 - robrobbins

2022-09-01T20:23:24Z

this (3) might be a different wording for the issue (in another report) that led to the change that was made in the VaultTracker that now compares the maturityRate against the exchangeRate (when setting exchangeRate) and takes the lower of the two thus preventing it from being set to 0

#3 - robrobbins

2022-09-02T00:34:53Z

so, i think this is just a non existent scenario. you cant transfer the exchange rate to another vault.

Findings Information

🌟 Selected for report: joestakey

Also found by: 0x040, 0x1f8b, 0xDjango, 0xNazgul, 0xsam, Avci, Aymen0909, Bnke0x0, CRYP70, ElKu, Fitraldys, Funen, JC, Kaiziron, MadWookie, Meera, ReyAdmirado, Sm4rty, Soosh, TomJ, Waze, _Adam, __141345__, ajtra, benbaessler, c3phas, csanuragjain, durianSausage, exd0tpy, fatherOfBlocks, hake, ignacio, karanctf, kyteg, m_Rassska, oyc_109, rbserver, robee, rokinot, samruna, sashik_eth, simon135, slywaters

Awards

26.6467 USDC - $26.65

Labels

bug
G (Gas Optimization)
resolved

External Links

Link to GitHub issue

x = x + y is a cheaper operation than x += y

There are multiple instances in the code VaultTracker.sol

vlt.redeemable += interest;
vlt.notional += a;

vlt.redeemable += interest;

from.redeemable += interest;

to.redeemable += newVaultInterest;
to.notional += a;

sVault.redeemable += interest;

sVault.notional += a;

Swivel.sol

filled[hash] += a;

for loops length comparison can use != len instead of < len for cheaper gas

#L85 #L247 #L409 #L552

use constant/literals (e.g. type(uint256).max) instead of 2**x

#L549

++i will consume less gas than i++ if the optimizer isn't enabled

#L100 #L269 #L418 #L564

#0 - robrobbins

2022-08-22T22:19:50Z

some changes done elsewhere

!= vs < implemented : https://github.com/Swivel-Finance/gost/pull/430

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter