Back to tofunmi's contests

Mimo August 2022 contest - tofunmi's results

Bridging the chasm between the DeFi world and the world of regulated financial institutions.

General Information

Platform: Code4rena

Start Date: 02/08/2022

Pot Size: $50,000 USDC

Total HM: 12

Participants: 69

Period: 5 days

Judge: gzeon

Total Solo HM: 5

Id: 150

League: ETH

Mimo DeFi

Findings Distribution

Researcher Performance

Rank: 60/69

Findings: 1

Award: $67.51

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMimo DeFi

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0xDjango, 0xNazgul, 0xc0ffEE, 8olidity, Bnke0x0, Chom, CodingNameKiki, Deivitto, Dravee, Funen, JC, JohnSmith, NoamYakov, ReyAdmirado, Rohan16, Rolezn, Sm4rty, SooYa, TomFrenchBlockchain, TomJ, Waze, __141345__, ajtra, ak1, aysha, bin2chen, bobirichman, brgltd, bulej93, c3phas, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, horsefacts, hyh, ladboy233, mics, natzuu, nxrblsrpr, oyc_109, rbserver, samruna, sikorico, simon135, tofunmi, wagmi

Awards

67.5073 USDC - $67.51

Labels

bug
duplicate
QA (Quality Assurance)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-08-mimo/tree/main/contracts/proxy/MIMOProxy.sol#L127-L148

Vulnerability details

Impact

  • The multicall function doesn't check the length of address[] calldata targets and *** bytes calldata data***, it doesn't check for zero address for targets too, not checking if they are equal means the unbalanced array would be a null address , which would return success if a call is made to it, and could lead to costly mistakes

Proof of Concept

  • In a scenario where a user inputs the params, and targets[] and data[]'s length are not equal,the call would be made to a a zero address, and solidity returns success if a call is made to a zero address, smart contract logic shouldn't be based upon user's discretion. If one of the calls also requires transfer of funds, funds could be lost;
       │ File: contracts/proxy/MIMOProxy.sol

 127   │   function multicall(address[] calldata targets, bytes[] calldata data) external override returns (byte
       │ s[] memory) {}

Tools Used

vim

  • check the length of the two params and check for zero address too
       │ File: contracts/proxy/MIMOProxy.sol

 127   │   function multicall(address[] calldata targets, bytes[] calldata data) external override returns (byte
       │ s[] memory) {
  +          if(targets.length != data.length) {
  +              revert();
  +          } 
 128   │     if (msg.sender != owner) {
 129   │       revert CustomErrors.NOT_OWNER(owner, msg.sender);
 130   │     }
 131   │     bytes[] memory results = new bytes[](data.length);
 132   │     for (uint256 i = 0; i < targets.length; i++) {
  +            if (address(targets[i]) == address(0)) revert();
 133   │       (bool success, bytes memory response) = targets[i].call(data[i]);
 134   │       if (!success) {
 135   │         if (response.length > 0) {
 136   │           assembly {
 137   │             let returndata_size := mload(response)
 138   │             revert(add(32, response), returndata_size)
 139   │           }
 140   │         } else {
 141   │           revert CustomErrors.LOW_LEVEL_CALL_FAILED();
 142   │         }
 143   │       }
 144   │       results[i] = response;
 145   │     }
 146   │     return results;
 147   │   }
 148   │ }

#0 - horsefacts

2022-08-08T23:18:49Z

Duplicate of https://github.com/code-423n4/2022-08-mimo-findings/issues/8

#1 - RayXpub

2022-08-10T12:14:34Z

Duplicate of #113

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter