Timeswap contest - ye0lde's results

Like Uniswap, but for lending & borrowing.

General Information

Platform: Code4rena

Start Date: 04/01/2022

Pot Size: $75,000 USDC

Total HM: 17

Participants: 33

Period: 7 days

Judge: 0xean

Total Solo HM: 14

Id: 74

League: ETH

Timeswap

Findings Distribution

Researcher Performance

Rank: 14/33

Findings: 2

Award: $690.61

🌟 Selected for report: 2

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Timeswap

Findings Information

🌟 Selected for report: ye0lde

Labels

bug

1 (Low Risk)

resolved

sponsor confirmed

Awards

567.9485 USDC - $567.95

External Links

Link to GitHub issue

Handle

ye0lde

Vulnerability details

Impact

The function below fails to perform input validation on arrays to verify the lengths match. A mismatch could lead to an exception or undefined behavior.

Proof of Concept

ids, assetsIn (copied into from maxAssetsIn on line 18) https://github.com/code-423n4/2022-01-timeswap/blob/bf50d2a8bb93a5571f35f96bd74af54d9c92a210/Timeswap/Timeswap-V1-Convenience/contracts/libraries/PayMath.sol#L15-L28

While givenMaxAssetsIn is an internal function if you trace the code back the parameters are passed in by an external function (pay or payEthAsset or payEthCollateral) with no array length validation.

Tools Used

Visual Studio Code, Remix

Recommended Mitigation Steps

Add input validation to check that the length of all arrays match (ids, maxAssetsIn).

#0 - Mathepreneur
2022-01-18T10:57:43Z

https://github.com/Timeswap-Labs/Timeswap-V1-Convenience/pull/72

Findings Information

🌟 Selected for report: ye0lde

Labels

bug

G (Gas Optimization)

sponsor acknowledged

Awards

93.0809 USDC - $93.08

External Links

Link to GitHub issue

Handle

ye0lde

Vulnerability details

Impact

The pool.state.totalLiquidity is increased instead of set to the value directly. This performs an unnecessary addition as pool.state.totalLiquidity is zero.

Proof of Concept

https://github.com/code-423n4/2022-01-timeswap/blob/bf50d2a8bb93a5571f35f96bd74af54d9c92a210/Timeswap/Timeswap-V1-Core/contracts/TimeswapPair.sol#L161

Tools Used

Visual Studio Code, Remix

Recommended Mitigation Steps

Change

pool.state.totalLiquidity += liquidityTotal;

pool.state.totalLiquidity = liquidityTotal;

#0 - Mathepreneur
2022-01-18T10:58:40Z

There is a refactor in the mint function.

Findings Information

🌟 Selected for report: 0x0x0x

Also found by: Dravee, Jujic, WatchPug, defsec, fatima_naz, rfa, ye0lde

Labels

bug

duplicate

G (Gas Optimization)

Awards

4.452 USDC - $4.45

External Links

Link to GitHub issue

Handle

ye0lde

Vulnerability details

Impact

Gas savings

Proof of Concept

"> 0" is used in the following locations: https://github.com/code-423n4/2022-01-timeswap/blob/bf50d2a8bb93a5571f35f96bd74af54d9c92a210/Timeswap/Timeswap-V1-Convenience/contracts/libraries/SquareRoot.sol#L21 https://github.com/code-423n4/2022-01-timeswap/blob/bf50d2a8bb93a5571f35f96bd74af54d9c92a210/Timeswap/Timeswap-V1-Convenience/contracts/libraries/PayMath.sol#L27

Tools Used

Visual Studio Code, Remix

Recommended Mitigation Steps

Change "> 0" to "!=0" for small gas savings.

#0 - amateur-dev
2022-01-14T11:06:33Z

Similar issue reported over here #172; hence closing this.

Findings Information

🌟 Selected for report: WatchPug

Also found by: Dravee, ye0lde

Labels

bug

duplicate

G (Gas Optimization)

Awards

25.1318 USDC - $25.13

External Links

Link to GitHub issue

Handle

ye0lde

Vulnerability details

Impact

Redundant arithmetic underflow/overflow checks can be avoided when an underflow/overflow cannot happen.

Proof of Concept

The "unchecked" keyword can be applied here since there is an "if" statement to ensure the arithmetic operations would not cause an integer underflow or overflow. https://github.com/code-423n4/2022-01-timeswap/blob/bf50d2a8bb93a5571f35f96bd74af54d9c92a210/Timeswap/Timeswap-V1-Convenience/contracts/libraries/Mint.sol#L278

Change the code at 278 to:

        unchecked { 
		 if (maxCollateral > dueOut.collateral) ETH.transfer(payable(msg.sender), maxCollateral - dueOut.collateral);
	}

https://github.com/code-423n4/2022-01-timeswap/blob/bf50d2a8bb93a5571f35f96bd74af54d9c92a210/Timeswap/Timeswap-V1-Convenience/contracts/libraries/Pay.sol#L62

Tools Used

Visual Studio Code, Remix

Recommended Mitigation Steps

Add the "unchecked" keyword as shown above.

#0 - amateur-dev
2022-01-15T03:44:42Z

Similar issue highlighted over here #156 ; hence closing this.

Timeswap contest - ye0lde's results

Like Uniswap, but for lending & borrowing.

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $567.95

Gas Report - $122.66

QA Report - $567.95

Gas Report - $122.66

🚀 [L-03] Missing input validation on array lengths (PayMath.sol) - $567.95

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Mathepreneur2022-01-18T10:57:43Z

🚀 [G-09] Use assignment not += in function mint (TimeswapPair.sol) - $93.08

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Mathepreneur2022-01-18T10:58:40Z

[G-25] "> 0" is less efficient than "!= 0" for unsigned integers - $4.45

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - amateur-dev2022-01-14T11:06:33Z

[G-17] Save Gas With The Unchecked Keyword - $25.13

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - amateur-dev2022-01-15T03:44:42Z

#0 - Mathepreneur
2022-01-18T10:57:43Z

#0 - Mathepreneur
2022-01-18T10:58:40Z

#0 - amateur-dev
2022-01-14T11:06:33Z

#0 - amateur-dev
2022-01-15T03:44:42Z