Back to tsvetanovv's contests

Tapioca DAO - tsvetanovv's results

The first ever Omnichain money market, powered by LayerZero.

General Information

Platform: Code4rena

Start Date: 05/07/2023

Pot Size: $390,000 USDC

Total HM: 136

Participants: 132

Period: about 1 month

Judge: LSDan

Total Solo HM: 56

Id: 261

League: ETH

Tapioca DAO

Findings Distribution

Researcher Performance

Rank: 83/132

Findings: 2

Award: $100.05

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTapioca DAO

Findings Information

🌟 Selected for report: Sathish9098

Also found by: 0xSmartContract, 0xnev, Udsen, jasonxiale, rvierdiiev, tsvetanovv

Labels

bug
2 (Med Risk)
satisfactory
sponsor confirmed
duplicate-1408

Awards

58.8874 USDC - $58.89

External Links

Link to GitHub issue

Lines of code

https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/master/contracts/markets/singularity/SGLLeverage.sol#L117-L122 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/master/contracts/markets/singularity/SGLLeverage.sol#L175-L181 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/master/contracts/usd0/modules/USDOLeverageModule.sol#L190-L214 https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/main/contracts/Swapper/CurveSwapper.sol#L94-L142

Vulnerability details

Impact

Missing deadline checks allow pending transactions to be maliciously executed in the future. Without deadline parameters, as a consequence, users can have their operations executed at unexpected times, when the market conditions are unfavorable.

Proof of Concept

The problem occurs in these functions: https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/master/contracts/markets/singularity/SGLLeverage.sol#L117-L122

SGLLeverage.sol
97: function sellCollateral(
	.....
	(amountOut, shareOut) = swapper.swap(   
            swapData,
            minAmountOut,
            from,
            dexData
        );
147: function buyCollateral(
	.....
	(amountOut, collateralShare) = swapper.swap(    
            swapData,
            minAmountOut,
            from,
            dexData

https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/master/contracts/usd0/modules/USDOLeverageModule.sol#L190-L214

USDOLeverageModule.sol
190: function leverageUpInternal(
	.....
	(uint256 amountOut, ) = ISwapper(externalData.swapper).swap( 
            _swapperData,
            swapData.amountOutMin,
            address(this),
            swapData.data
        );

https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/main/contracts/Swapper/CurveSwapper.sol#L94-L142

CurveSwapper.sol
94: function swap(   
        SwapData calldata swapData,
        uint256 amountOutMin,
        address to,
        bytes memory data
     ......

The deadline check ensures that the transaction can be executed on time and the expired transaction revert.

Tools Used

Visual Studio Code

Introduce a deadline parameter in these functions.

Assessed type

Timing

#0 - c4-pre-sort

2023-08-05T12:42:03Z

minhquanym marked the issue as primary issue

#1 - minhquanym

2023-08-05T12:43:56Z

Grouping all issues related to missing deadline check when swapping

#2 - c4-sponsor

2023-09-01T17:45:06Z

0xRektora (sponsor) confirmed

#3 - c4-judge

2023-09-29T21:45:32Z

dmvt marked the issue as satisfactory

#4 - c4-judge

2023-09-29T21:48:40Z

dmvt marked issue #1408 as primary and marked this issue as a duplicate of 1408

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter