Back to wuwe1's contests

Backd contest - wuwe1's results

Maximize the power of your assets and start earning yield

General Information

Platform: Code4rena

Start Date: 21/04/2022

Pot Size: $100,000 USDC

Total HM: 18

Participants: 60

Period: 7 days

Judge: gzeon

Total Solo HM: 10

Id: 112

League: ETH

Backd

Findings Distribution

Researcher Performance

Rank: 10/60

Findings: 2

Award: $1,807.13

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBackd

Findings Information

🌟 Selected for report: Dravee

Also found by: IllIllI, MaratCerby, UnusualTurtle, WatchPug, antonttc, berndartmueller, cccz, danb, horsefacts, hyh, pauliax, rayn, wuwe1

Labels

bug
duplicate
2 (Med Risk)
reviewed

Awards

70.085 USDC - $70.08

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/pool/EthPool.sol#L30

Vulnerability details

Proof of Concept

  1. transfer has hard coded gas budget and can fail when the user is a smart contract. This way any programmatical usage of EthPool is at risk.
  2. https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/pool/EthPool.sol#L30
    function _doTransferOut(address payable to, uint256 amount) internal override {
        to.transfer(amount);
    }
  1. User can not redeem due to this gas budget

https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/pool/LiquidityPool.sol#L567

References

https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/

Using low-level call.value(amount) with the corresponding result check or using the OpenZeppelin Address.sendValue is advised:

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/Address.sol#L60

#0 - chase-manning

2022-04-28T11:40:20Z

Duplicate of #52

Findings Information

🌟 Selected for report: shenwilly

Also found by: wuwe1

Labels

bug
duplicate
2 (Med Risk)
sponsor disputed
reviewed

Awards

1737.0523 USDC - $1,737.05

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/pool/LiquidityPool.sol#L523

Vulnerability details

Proof of Concept

This exploit requires that the _underlying token transfers control to the msg.sender.

depositFor can be reentered and by pass cap check.

https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/pool/LiquidityPool.sol#L523

    function depositFor(
        address account,
        uint256 depositAmount,
        uint256 minTokenAmount
    ) public payable override notPaused returns (uint256) {
        uint256 rate = exchangeRate();

        if (isCapped()) {
            uint256 lpBalance = lpToken.balanceOf(account);
            uint256 stakedAndLockedBalance = staker.stakedAndActionLockedBalanceOf(account);
            uint256 currentUnderlyingBalance = (lpBalance + stakedAndLockedBalance).scaledMul(rate);
            require(
                currentUnderlyingBalance + depositAmount <= depositCap,
                Error.EXCEEDS_DEPOSIT_CAP
            );
        }

        _doTransferIn(msg.sender, depositAmount);

Move

        _doTransferIn(msg.sender, depositAmount);
    if (isCapped()) {

before

#0 - chase-manning

2022-04-28T11:44:21Z

We do not support ERC721 tokens in the Backd Liquidity Pools.

#1 - gzeoneth

2022-05-07T20:42:58Z

I believe the warden typo ERC777 as ERC721. Considering this as duplicate of #47

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter