Init Capital Invitational - rvierdiiev's results

Lines of code

https://github.com/code-423n4/2024-01-init-capital-invitational/blob/main/contracts/hook/MarginTradingHook.sol#L504-L526

Vulnerability details

Proof of Concept

When order is updated then caller provides _posId and _orderId. Then position of caller is fetched using _posId. The condition here is that position has more collateral than user wants to update.

Note, that there is no check that _orderId is somehow related to the position. Because of that anyone can update position of other person and change values. This can be used by attacker to change _limitPrice_e36 to smaller value and earn position's profit or to change trigger price, so position's stop loss will not work for example.

Impact

Attacker can change position of other users.

Tools Used

VsCode

Recommended Mitigation Steps

Check that order is about position of caller.

Assessed type

Error

Lines of code

https://github.com/code-423n4/2024-01-init-capital-invitational/blob/main/contracts/hook/MarginTradingHook.sol#L372-L400

Vulnerability details

Proof of Concept

Order can be updated at any time. This allows to change collateral for order or to change limitPrice_e36 - price that is used to calculate profit of order creator.

Because of that it's possible that after fillOrder will be executed, then filler will pay and receive not what he expected:

• because order owner has increased collateral amount, so filler repaid more debt then he expected
• because order owner has decreased collateral amount, so filler received small profit, that doesn't cover even gas
• because order owner has frontrunned with limitPrice_e36 change and set the price that filler will now don't receive any rewards, but will pay even more out token(for example really small price like 1 wei).

Impact

Filler can lose funds.

Tools Used

VsCode

Recommended Mitigation Steps

Provide filler with ability to provide slippage, so he doesn't pay more than he expected.

Assessed type

Error

Lines of code

https://github.com/code-423n4/2024-01-init-capital-invitational/blob/main/contracts/hook/MarginTradingHook.sol#L422

Vulnerability details

Proof of Concept

When CloseExactOut swap is done, it means that hook needs to receive exact amount of borrow token to be able to repay it and withdraw collateral.

https://github.com/code-423n4/2024-01-init-capital-invitational/blob/main/contracts/hook/MarginTradingHook.sol#L420-L424

            if (swapInfo.swapType == SwapType.CloseExactOut) {
                // slippage control to make sure that swap helper swap correctly
                _require(IERC20(swapInfo.tokenOut).balanceOf(address(this)) == swapInfo.amtOut, Errors.SLIPPAGE_CONTROL);
                amtSwapped -= IERC20(swapInfo.tokenIn).balanceOf(address(this));
            }

After the swap is executed by swap helper, then for CloseExactOut swap there is a check, that balance is exactly what is needed to repay.

Such check makes it possible to revert reducePos call, when CloseExactOut is used by simply transferring small amount of tokens before. Once it is done, then the check will usually fail for all other same swaps. However, contract will not be broken and it will be possible to make balance 0 again.

Impact

CloseExactOut swap can be rejected, when it is needed for attacker. In such case attacker can grief user or can use such approach to prevent user from decreasing position.

Tools Used

VsCode

Recommended Mitigation Steps

Check that balance is not less than what is needed to repay.

Assessed type

Error

Lines of code

https://github.com/code-423n4/2024-01-init-capital-invitational/blob/main/contracts/wrapper/WLpMoeMasterChef.sol#L21

Vulnerability details

Proof of Concept

Users can wrap their merchant moe lp tokens to the WLpMoeMasterChef contract to use it as collateral in init protocol.

Merchant moe MasterChef contract has emergencyWithdraw function(i don't know how to copy the line from explorer.mantle.xyz) that allows to withdraw lp tokens from contract in case of emergency in some rewarder contract or other cases. In this case there will be no claiming of rewards, just transferring of lp tokens.

But WLpMoeMasterChef doesn't have integration with that function which takes user's lp token under a risk.

Impact

In case of emergency users will not be able to unwrap.

Tools Used

VsCode

Recommended Mitigation Steps

Add integration with function.

Assessed type

Error

Lines of code

https://github.com/code-423n4/2024-01-init-capital-invitational/blob/main/contracts/wrapper/WLpMoeMasterChef.sol#L145-L162

Vulnerability details

Proof of Concept

When user locks LP tokens in the WLpMoeMasterChef, then erc721 token is created for him. Later user can do whatever he wants with this erc721 token. So it's possible that such tokens will be traded on markets.

WLpMoeMasterChef.unwrap function decreases __lpBalances for the token. Currently there is no guarantee for the purchaser, that he will receive nft with LP amount that he wanted to buy as nft owner can decrease/close whole position right before order will be filled in the nft marketplace.

Impact

Nft purchaser can get less amount of LP.

Tools Used

VsCode

Recommended Mitigation Steps

Add special function like lockNftForTrade that can be called by owner to signal trading. It will lock ability to unwrap position for some period of time. During this time the trade should happen.

Assessed type

Error