Back to rvierdiiev's contests

Y2k Finance contest - rvierdiiev's results

A suite of structured products for assessing pegged asset risk.

General Information

Platform: Code4rena

Start Date: 14/09/2022

Pot Size: $50,000 USDC

Total HM: 25

Participants: 110

Period: 5 days

Judge: hickuphh3

Total Solo HM: 9

Id: 162

League: ETH

Y2k Finance

Findings Distribution

Researcher Performance

Rank: 15/110

Findings: 3

Award: $782.96

🌟 Selected for report: 1

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryY2k Finance

Findings Information

🌟 Selected for report: rvierdiiev

Also found by: async

Labels

bug
2 (Med Risk)
sponsor disputed
selected for report

Awards

693.5137 USDC - $693.51

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L345-L359 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L136 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L152 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L187-L190

Vulnerability details

Impact

VaultFactory allows admin to change controller for marketId(hedge and risk vaults) using VaultFactory.changeController. This method then set controller to both vaults. This address is important for Vault contract as it allows to call different functions.

VaultFactory take care about different pair vaults through indexVaults mapping. Controller can get info about pairs vaults only through the correct VaultFactory that is provided to Controller in constructor.

It's possible that VaultFactory.changeController will set controller whose vaultFactory field is not equal to current VaultFactory. That means that when Controller.triggerDepeg or Controller.triggerEndEpoch will be called they will not be able to find the market. So current controller will not be able to call hedge and risk vaults.

Proof of Concept

This is how the controller is set to vaults. https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L345-L359

Controller depends on VaultFactory to find vault for market. https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L136 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L152

Tools Used

Use same check as you used in VaultFactory.createNewMarket https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L187-L190

#0 - HickupHH3

2022-11-03T14:38:06Z

Agree with the issue that the incoming Controller's VaultFactory should be verified to be the VaultFactory's address itself. Otherwise, there's a loss of functionality.

Findings Information

🌟 Selected for report: Respx

Also found by: 0x1f8b, 0xDecorativePineapple, 0xNazgul, 0xPanas, 0xSmartContract, 0xc0ffEE, 0xmuxyz, Aymen0909, Bahurum, Bnke0x0, CodingNameKiki, Deivitto, Jeiwan, Lambda, Picodes, PwnPatrol, R2, RaymondFam, Rolezn, Ruhum, Saintcode_, SooYa, Tointer, V_B, ajtra, ak1, async, auditor0517, brgltd, c3phas, carrotsmuggler, cccz, csanuragjain, datapunk, djxploit, durianSausage, eierina, erictee, gogo, imare, joestakey, jonatascm, kv, ladboy233, leosathya, lukris02, oyc_109, pashov, pauliax, rbserver, robee, rokinot, rvierdiiev, scaraven, simon135, unforgiven, wagmi, zzzitron

Awards

36.6223 USDC - $36.62

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue
  1. Remove variable as it is nod used. https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L11
  2. Modifier is not used. https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L73-L77
  3. Conditions with assertions to true or false are confusing. Use !vault.idExists(epochEnd) instead. https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L93 Use if(!insrVault.idExists(epochEnd) || !riskVault.idExists(epochEnd)) instead https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L211 Use !idExists[id] instead https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L80 Use !isApprovedForAll(owner, receiver) instead https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L217 Use if(idExists[epochEnd]) instead https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L314
  4. Check address param for 0 address. https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/SemiFungibleVault.sol#L70 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/SemiFungibleVault.sol#L96 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L80 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L365 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L312
  5. Add event description. https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L113

Findings Information

🌟 Selected for report: pfapostol

Also found by: 0x040, 0x1f8b, 0x4non, 0xNazgul, 0xSmartContract, 0xc0ffEE, 0xkatana, Aymen0909, Bnke0x0, Deivitto, Diana, JAGADESH, KIntern_NA, Lambda, MiloTruck, R2, RaymondFam, Respx, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, Ruhum, Saintcode_, Samatak, Sm4rty, SnowMan, Tomio, Tomo, WilliamAmbrozic, _Adam, __141345__, ajtra, ak1, async, c3phas, ch0bu, cryptostellar5, d3e4, delfin454000, dharma09, djxploit, durianSausage, eierina, erictee, fatherOfBlocks, gianganhnguyen, gogo, ignacio, imare, jag, jonatascm, leosathya, lukris02, malinariy, oyc_109, pashov, pauliax, peanuts, peiw, prasantgupta52, robee, rokinot, rotcivegaf, rvierdiiev, seyni, simon135, slowmoses, sryysryy, tnevler, zishansami

Awards

52.8286 USDC - $52.83

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue
  1. Cache getLatestPrice(vault.tokenInsured()) into variable as you use it int 2 places. https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L96-L99
  2. Use external modifier instead of public if you don’t call method from a contract to save deployment gas. https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L148 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L217 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L277 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L287 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L295 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L307 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L336 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L350 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L360 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L439 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L186 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L180 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L253 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L295 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L308 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L327 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L345 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L366 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L385
  3. Use if (answer > 0) to save gas. Do not create Boolean variable. https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L277-L280
  4. Use > instead of !=0 to save gas. https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L157 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L159 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L215 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L217
  5. Use ++i instead of i++ for loops. Also cache epochsLength() into variable. https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L443

#0 - HickupHH3

2022-11-09T11:57:38Z

Cache getLatestPrice(vault.tokenInsured()) into variable as you use it int 2 places. https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L96-L99

Multiple calls: 11k gas saved

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter