Back to tsvetanovv's contests

Astaria contest - tsvetanovv's results

On a mission is to build a highly liquid NFT lending market.

General Information

Platform: Code4rena

Start Date: 05/01/2023

Pot Size: $90,500 USDC

Total HM: 55

Participants: 103

Period: 14 days

Judge: Picodes

Total Solo HM: 18

Id: 202

League: ETH

Astaria

Findings Distribution

Researcher Performance

Rank: 92/103

Findings: 1

Award: $44.14

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAstaria

Findings Information

🌟 Selected for report: 0xsomeone

Also found by: ayeslick, tsvetanovv

Labels

bug
2 (Med Risk)
partial-25
duplicate-472

Awards

44.1378 USDC - $44.14

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-01-astaria/blob/main/src/ClearingHouse.sol#L148

Vulnerability details

Impact

Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.

Proof of Concept

ClearingHouse.sol
148: ERC20(paymentToken).safeApprove(
149:      address(ASTARIA_ROUTER.TRANSFER_PROXY()),
150:      payment - liquidatorPayment
151:    );

Tools Used

Manual Review

Use approve(0) to set the allowance to zero immediately before existing approve() calls.

#0 - c4-judge

2023-01-22T15:26:43Z

Picodes marked the issue as duplicate of #437

#1 - c4-judge

2023-02-24T10:19:59Z

Picodes marked the issue as satisfactory

#2 - c4-judge

2023-02-24T10:20:06Z

Picodes marked the issue as partial-25

#3 - Picodes

2023-02-24T10:20:23Z

Partial credit due to the absence of PoC

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter