Trader Joe contest - static's results

One-stop-shop decentralized trading on Avalanche.

General Information

Platform: Code4rena

Start Date: 25/01/2022

Pot Size: $50,000 USDT

Total HM: 17

Participants: 39

Period: 3 days

Judge: LSDan

Total Solo HM: 9

Id: 79

League: ETH

Trader Joe

Findings Distribution

Researcher Performance

Rank: 2/39

Findings: 2

Award: $2,755.76

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Trader Joe

Findings Information

🌟 Selected for report: cmichel

Also found by: static

Labels

bug

duplicate

3 (High Risk)

Awards

2335.3855 USDT - $2,335.39

External Links

Link to GitHub issue

Handle

static

Vulnerability details

Impact

If the owner of the contract set (specifically the Factory owner), executes allowEmergencyWithdraw after the pair is created, then the withdraw functions including the emergencyWithdraw will not function and the funds (including the liquidity tokens), will be stuck in the contract.

Proof of Concept

N/A

Tools Used

N/A

Recommended Mitigation Steps

There are a few possible solutions, you could technically do any of the following:

Don't allow locking the contract when the pair has already been created or remove the isStopped modifier from the pair-related withdraw functions.
Implement a new emergency withdraw (or re-work the current function) to allow withdrawing the liquidity tokens from the contract in the event it is locked.
Allow unlocking the contract when the pair has been created.

#0 - cryptofish7
2022-02-10T23:54:28Z

Duplicate of #199

#1 - dmvt
2022-02-21T13:19:15Z

Direct loss of funds result, this is clearly high risk.

Findings Information

🌟 Selected for report: kirk-baird

Also found by: 0v3rf10w, static

Labels

bug

duplicate

2 (Med Risk)

Awards

420.3694 USDT - $420.37

External Links

Link to GitHub issue

Handle

static

Vulnerability details

Impact

The deposit function performs a check followed by an interaction, then the effect. If for some reason the rJOE token is altered to possess callbacks that go to untrusted contracts, then a user could call deposit multiple times using re-entrancy to extract extra rewards and drain the contract.

However, because the rJOE token is a standard ERC20 without callbacks, this issue has been marked as low severity.

Proof of Concept

N/A

Tools Used

N/A

Recommended Mitigation Steps

Follow the check-effect-interaction pattern by moving the _safeRJoeTransfer function to be after the lines setting user.amount and user.rewardDebt.

#0 - cryptofish7
2022-02-11T00:34:51Z

Duplicate of #127

Trader Joe contest - static's results

One-stop-shop decentralized trading on Avalanche.

General Information

Findings Distribution

Researcher Performance

External Links

[H-01] Denial-of-service condition: emergency shutdown after pair creation loses contract funds - $2,335.39

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - cryptofish72022-02-10T23:54:28Z

#1 - dmvt2022-02-21T13:19:15Z

[M-11] Bad practice: Violating check-effect-interaction pattern in RocketJoeStaking.sol's deposit function - $420.37

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - cryptofish72022-02-11T00:34:51Z

#0 - cryptofish7
2022-02-10T23:54:28Z

#1 - dmvt
2022-02-21T13:19:15Z

#0 - cryptofish7
2022-02-11T00:34:51Z