Back to zhaojie's contests

Maia DAO - Ulysses - zhaojie's results

Harnessing the power of Arbitrum, Ulysses Omnichain specializes in Virtualized Liquidity Management.

General Information

Platform: Code4rena

Start Date: 22/09/2023

Pot Size: $100,000 USDC

Total HM: 15

Participants: 175

Period: 14 days

Judge: alcueca

Total Solo HM: 4

Id: 287

League: ETH

Maia DAO

Findings Distribution

Researcher Performance

Rank: 101/175

Findings: 1

Award: $25.68

QA:
grade-a

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMaia DAO

Findings Information

🌟 Selected for report: MrPotatoMagic

Also found by: 0xAadi, 0xDING99YA, 0xDemon, 0xRstStn, 0xSmartContract, 0xStriker, 0xWaitress, 0xbrett8571, 0xfuje, 0xsagetony, 0xsurena, 33BYTEZZZ, 3docSec, 7ashraf, ABA, ABAIKUNANBAEV, Aamir, Audinarey, Bauchibred, Black_Box_DD, Daniel526, DanielArmstrong, DanielTan_MetaTrust, Dinesh11G, Eurovickk, Franklin, Inspecktor, John, Jorgect, Joshuajee, K42, Kek, Koolex, LokiThe5th, MIQUINHO, Myd, NoTechBG, QiuhaoLi, SanketKogekar, Sathish9098, Sentry, Soul22, SovaSlava, Stormreckson, Tendency, Topmark, Udsen, V1235816, Viktor_Cortess, Viraz, Yanchuan, ZdravkoHr, Zims, albahaca, albertwh1te, alexweb3, alexxander, ast3ros, audityourcontracts, bareli, bin2chen, bronze_pickaxe, c0pp3rscr3w3r, cartlex_, castle_chain, chaduke, debo, ether_sky, gumgumzum, imare, its_basu, jaraxxus, jasonxiale, josephdara, kodyvim, ladboy233, lanrebayode77, lsaudit, mert_eren, minhtrng, n1punp, nadin, niroh, nmirchev8, orion, peakbolt, perseverancesuccess, pfapostol, ptsanev, rvierdiiev, saneryee, shaflow2, te_aut, terrancrypt, twcctop, unsafesol, ustas, versiyonbir, windhustler, yongskiws, zhaojie, ziyou-

Awards

25.6785 USDC - $25.68

Labels

bug
downgraded by judge
grade-a
QA (Quality Assurance)
sufficient quality report
duplicate-809
Q-76

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgent.sol#L1210 https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootPort.sol#L87

Vulnerability details

Impact

Ulysses Protocol is a Omnichain servers,but cannot support non-EVM chains.

Proof of Concept

  1. The length of an address for receiving a message cannot exceed 40 bytes. The length of an address for a non-EVM chain must exceed 40 bytes.
if (_srcAddress.length != 40) revert LayerZeroUnauthorizedCaller();
  1. The RootPort uses address to store the token address. Address in the evm is incompatible with addresses on other non-EVM chains, so a compatible format is required.
    mapping(address token => bool isGlobalToken) public isGlobalAddress;

Tools Used

vscode

Modify the address format of cross-chain tokens and modify the limit on the address length when accepting messages.

Assessed type

Other

#0 - c4-pre-sort

2023-10-11T13:11:28Z

0xA5DF marked the issue as duplicate of #809

#1 - c4-pre-sort

2023-10-11T13:11:33Z

0xA5DF marked the issue as sufficient quality report

#2 - c4-judge

2023-10-27T08:57:02Z

alcueca changed the severity to QA (Quality Assurance)

#3 - c4-judge

2023-10-27T08:57:13Z

alcueca marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter