Platform: Code4rena
Start Date: 14/10/2022
Pot Size: $100,000 USDC
Total HM: 12
Participants: 75
Period: 9 days
Judge: GalloDaSballo
Total Solo HM: 1
Id: 171
League: ETH
Rank: 42/75
Findings: 2
Award: $0.98
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: Aymen0909, Dravee, Josiah, M4TZ1P, Mukund, Nyx, SooYa, catchup, cccz, chaduke, csanuragjain, djxploit, hansfriese, ladboy233, leosathya, pashov, rvierdiiev, sorrynotsorry, supernova, vv7, wagmi, zzykxx
0.006 USDC - $0.01
https://github.com/code-423n4/2022-10-traderjoe/blob/main/src/LBFactory.sol#L474
Owner could deny users from using flash loans.
function setFlashLoanFee(uint256 _flashLoanFee) external override onlyOwner { uint256 _oldFlashLoanFee = flashLoanFee; if (_oldFlashLoanFee == _flashLoanFee) revert LBFactory__SameFlashLoanFee(_flashLoanFee); flashLoanFee = _flashLoanFee; emit FlashLoanFeeSet(_oldFlashLoanFee, _flashLoanFee); }
_flashLoanFee is not checked here, so it can be set to any value by a malicious owner.
When a user attempts to call flashLoan() from LBPair.sol the following function is called:
function _getFlashLoanFee(uint256 _amount, uint256 _fee) internal pure returns (uint256) { return (_amount * _fee) / Constants.PRECISION; }
If _fee is large, this function will revert, which will prevent a user from using flash loan functionality.
vim
Add upper and lower bounds checks.
#0 - GalloDaSballo
2022-10-27T21:16:00Z
#1 - c4-judge
2022-11-23T18:37:56Z
GalloDaSballo marked the issue as not a duplicate
#2 - c4-judge
2022-11-23T18:39:21Z
GalloDaSballo marked the issue as duplicate of #139
#3 - Simon-Busch
2022-12-05T06:33:56Z
Marked this issue as Satisfactory as requested by @GalloDaSballo
0.9728 USDC - $0.97
https://github.com/code-423n4/2022-10-traderjoe/blob/main/src/LBRouter.sol#L520
In case user sends more AVAX than necessary, this function will not work as expected and reverts due to Solidity builtin integer overflow checks.
function swapAVAXForExactTokens( uint256 _amountOut, uint256[] memory _pairBinSteps, IERC20[] memory _tokenPath, address _to, uint256 _deadline ) external payable override ensure(_deadline) verifyInputs(_pairBinSteps, _tokenPath) returns (uint256[] memory amountsIn) { if (_tokenPath[0] != IERC20(wavax)) revert LBRouter__InvalidTokenPath(address(_tokenPath[0])); address[] memory _pairs = _getPairs(_pairBinSteps, _tokenPath); amountsIn = _getAmountsIn(_pairBinSteps, _pairs, _tokenPath, _amountOut); if (amountsIn[0] > msg.value) revert LBRouter__MaxAmountInExceeded(msg.value, amountsIn[0]); _wavaxDepositAndTransfer(_pairs[0], amountsIn[0]); uint256 _amountOutReal = _swapTokensForExactTokens(_pairs, _pairBinSteps, _tokenPath, amountsIn, _to); if (_amountOutReal < _amountOut) revert LBRouter__InsufficientAmountOut(_amountOut, _amountOutReal); if (msg.value > amountsIn[0]) _safeTransferAVAX(_to, amountsIn[0] - msg.value); }
On line #520 this function will do refund, but I believe the logic is incorrect.
vim
Correct call should be:
if (msg.value > amountsIn[0]) _safeTransferAVAX(_to, msg.value - amountsIn[0]);
#0 - GalloDaSballo
2022-10-25T19:55:28Z
Looks like a good QA find, but no loss was shown
#1 - GalloDaSballo
2022-10-26T18:27:23Z
#2 - GalloDaSballo
2022-11-13T19:53:53Z
L
#3 - c4-judge
2022-11-13T19:53:56Z
#4 - Simon-Busch
2022-11-21T06:23:38Z
Reverted to M as requested by @GalloDaSballo Duplicate of https://github.com/code-423n4/2022-10-traderjoe-findings/issues/469
#5 - Simon-Busch
2022-12-05T06:44:53Z
Marked this issue as satisfactory as requested by @GalloDaSballo