Platform: Code4rena
Start Date: 07/09/2022
Pot Size: $20,000 CANTO
Total HM: 7
Participants: 65
Period: 1 day
Judge: 0xean
Total Solo HM: 3
Id: 159
League: ETH
Rank: 17/65
Findings: 2
Award: $146.62
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xhunter
Also found by: BipinSah, Rohan16, Sm4rty, Tomo, fatherOfBlocks, m_Rassska, oyc_109, prasantgupta52, rokinot
https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-core.sol#L560-L568
The oracle reading will be unable to be updated.
Assuming the gas limit is similar to Ethereum, which is 30m as of today (Note that some EVM-based layer-1s like AVAX have an even lower block limit), and using the setPeriodSize() execution cost as parameter, if Canto DEX reaches a number around ~1k in pairs (one could argue it's a realistic achievement) this execution will surpass the block limit.
According to the docs the DAO can increase the gas limit, however this may be a slow process and a bad actor could create mock tokens and mock pairs in order to grief the DEX.
Code reading
The function could take a number of indexes instead of all at once, and since this operation does not happen too often, the admin could pause swaps until they're all updated.
It's also possible to store this variable on BaseV1Factory instead since it's a standard value that is to be used for all pairs, and add a public view function on BaseV1Pair that does an external call to get the variable from the factory contract.
#0 - nivasan1
2022-09-10T16:24:10Z
duplicate #8
🌟 Selected for report: lukris02
Also found by: 0x040, 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xSky, Bnke0x0, Bronicle, CertoraInc, Chom, CodingNameKiki, Deivitto, Diraco, Dravee, EthLedger, IgnacioB, JC, JansenC, Jeiwan, R2, RaymondFam, ReyAdmirado, Rolezn, SinceJuly, TomJ, Tomo, Yiko, a12jmx, ajtra, ak1, codexploder, cryptphi, csanuragjain, erictee, fatherOfBlocks, gogo, hake, hansfriese, hickuphh3, ignacio, ontofractal, oyc_109, p_crypt0, pashov, peritoflores, rajatbeladiya, rbserver, rokinot, rvierdiiev, tnevler
242.8216 CANTO - $39.22
Stables cTokens prices are hard set to 1e18, however cStables/Stables or even cStables/cStables pairs will have variant prices in terms of Note (i.e. cUSDC/cUSDT will have prices that can be different than 1e18).
https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-periphery.sol#L549
WCANTO instead of WETHhttps://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-periphery.sol#L85
Although there's no vulnerability involved, this goes against what the comment says.
https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-periphery.sol#L85