Platform: Code4rena
Start Date: 25/11/2021
Pot Size: $80,000 USDC
Total HM: 35
Participants: 32
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 27
Id: 59
League: ETH
Rank: 29/32
Findings: 3
Award: $66.55
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: thank_you
Also found by: 0x0x0x, Koustre, Meta0xNull, WatchPug, cmichel, defsec, harleythedog, hyh, leastwood, pauliax, pmerkleplant, tabish, xYrYuYx
tabish
The contract are missing slippage checks which can lead to being vulnerable to sandwich attacks here in this case it is more risky as principal funds are at risk.
A common attack in DeFi is the sandwich attack. Upon observing a trade of asset X for asset Y, an attacker frontruns the victim trade by also buying asset Y, lets the victim execute the trade, and then backruns (executes after) the victim by trading back the amount gained in the first trade. Intuitively, one uses the knowledge that someone’s going to buy an asset, and that this trade will increase its price, to make a profit. The attacker’s plan is to buy this asset cheap, let the victim buy at an increased price, and then sell the received amount again at a higher price afterwards.
See UniswapHandler.buyMalt:
router.swapExactTokensForTokens( rewardBalance, 0, // amountOutMin path, address(this), now );
Detailed description of the impact of this finding.
Trades can happen at a bad price and lead to receiving fewer tokens than at a fair market price. The attacker’s profit is the protocol’s loss.
Add minimum return amount checks.
Accept a function parameter that can be chosen by the transaction sender, then check that the actually received amount is above this parameter.
Alternatively, check if it’s feasible to send these transactions directly to a miner such that they are not visible in the public mempool. Maybe use flashbots rpc
#0 - 0xScotch
2021-12-10T00:21:29Z
#219
#1 - GalloDaSballo
2022-01-26T13:29:10Z
Duplicate of #219
10.3016 USDC - $10.30
tabish
Detailed description of the impact of this finding.
Struct AuctionData https://github.com/code-423n4/2021-11-malt/blob/c3a204a2c0f7c653c6c2dda9f4563fd1dc1cecf3/src/contracts/Auction.sol#L26 currently uses 16 slots + mapping size . It is pack it more efficiently to save gas.
Change Struct AuctionData to:
struct AuctionData { // The full amount of commitments required to return to peg uint256 fullRequirement; // total maximum desired commitments to this auction uint256 maxCommitments; // Quantity of sale currency committed to this auction uint256 commitments; // Malt purchased and burned using current commitments uint256 maltPurchased; // Desired starting price for the auction uint256 startingPrice; // Desired lowest price for the arbitrage token uint256 endingPrice; // Price of arbitrage tokens at conclusion of auction. This is either // when the duration elapses or the maxCommitments is reached uint256 finalPrice; // The peg price for the liquidity pool uint256 pegPrice; // Time when auction started uint256 startingTime; uint256 endingTime; // The reserve ratio at the start of the auction uint256 preAuctionReserveRatio; // The amount of arb tokens that have been executed and are now claimable uint256 claimableTokens; // The finally calculated realBurnBudget uint256 finalBurnBudget; // The amount of Malt purchased with realBurnBudget uint256 finalPurchased; // Has this auction been finalized? Meaning any additional stabilizing // has been done bool finalized; // Is the auction currently accepting commitments? bool active; // A map of all commitments to this auction by specific accounts mapping(address => AccountCommitment) accountCommitments; }
#0 - 0xScotch
2021-12-09T22:08:57Z
#38
#1 - GalloDaSballo
2021-12-31T14:31:55Z
Duplicate of #38
tabish
Detailed description of the impact of this finding. parameter used in constructor and initilizer are used to initialize the state variable, error in these can lead to redeployment of contract
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof - that illustrates the concept.
add address(0) validation
#0 - 0xScotch
2021-12-10T01:14:24Z
#74
#1 - GalloDaSballo
2022-01-18T14:40:14Z
Duplicate of #74