Back to ziyou-'s contests

Basin - ziyou-'s results

A composable EVM-native decentralized exchange protocol.

General Information

Platform: Code4rena

Start Date: 03/07/2023

Pot Size: $40,000 USDC

Total HM: 14

Participants: 74

Period: 7 days

Judge: alcueca

Total Solo HM: 9

Id: 259

League: ETH

Basin

Findings Distribution

Researcher Performance

Rank: 50/74

Findings: 1

Award: $17.52

QA:
grade-a

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBasin

Findings Information

🌟 Selected for report: 0xprinc

Also found by: 0x11singh99, 0xAnah, 0xWaitress, 0xkazim, 2997ms, 33audits, 404Notfound, 8olidity, CRIMSON-RAT-REACH, CyberPunks, DanielWang888, Deekshith99, Eeyore, Eurovickk, Inspecktor, JGcarv, John, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Qeew, QiuhaoLi, Rolezn, TheSavageTeddy, Topmark, Trust, Udsen, a3yip6, alexzoid, bigtone, codegpt, erebus, fatherOfBlocks, ginlee, glcanvas, hunter_w3b, josephdara, kaveyjoe, kutugu, mahdirostami, max10afternoon, oakcobalt, peanuts, pfapostol, ptsanev, qpzm, radev_sw, ravikiranweb3, sces60107, seth_lawson, te_aut, twcctop, zhaojie, ziyou-

Awards

17.5208 USDC - $17.52

Labels

bug
downgraded by judge
grade-a
low quality report
QA (Quality Assurance)
Q-54

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-basin/blob/c1b72d4e372a6246e0efbd57b47fb4cbb5d77062/src/Well.sol#L730-L750

Vulnerability details

Impact

Not checking whether iToken and jToken are the same token leads to unexpected situations.

Proof of Concept

https://github.com/code-423n4/2023-07-basin/blob/c1b72d4e372a6246e0efbd57b47fb4cbb5d77062/src/Well.sol#L730-L750 function _getIJ( IERC20[] memory _tokens, IERC20 iToken, IERC20 jToken ) internal pure returns (uint256 i, uint256 j) { bool foundI = false; bool foundJ = false;

    for (uint256 k; k < _tokens.length; ++k) {
        if (iToken == _tokens[k]) {
            i = k;
            foundI = true;
        } else if (jToken == _tokens[k]) {
            j = k;
            foundJ = true;
        }
    }

    if (!foundI) revert InvalidTokens();
    if (!foundJ) revert InvalidTokens();
}

Tools Used

vscode

Add corresponding checks

Assessed type

Other

#0 - c4-pre-sort

2023-07-12T06:53:39Z

141345 marked the issue as duplicate of #182

#1 - c4-pre-sort

2023-07-12T14:12:35Z

141345 marked the issue as not a duplicate

#2 - c4-pre-sort

2023-07-12T14:12:41Z

141345 marked the issue as low quality report

#3 - 141345

2023-07-12T14:13:11Z

similar to https://github.com/code-423n4/2023-07-basin-findings/issues/182

lack detailed POC

#4 - alcueca

2023-08-03T14:29:24Z

Poor PoC, but it is true that _getIJ(tokens, tokenA, tokenA) reverts with InvalidTokens, even if tokenA is in tokens.

If this is intended behaviour, the documentation is certainly poor. On the other hand, this bug might be preventing same-token exploits.

@publiuss, care to weigh in?

#5 - publiuss

2023-08-07T11:37:13Z

_getIJ

This function is not intended to support the case where tokenI and tokenJ are the same token. This should be documented, but it is not.

To your point, it also helps to protect against same-token exploits.

#6 - alcueca

2023-08-08T05:22:25Z

I'm going to be generous to the warden and consider it grade-b QA.

@publiuss, please consider making the same-token protection explicit and documented.

#7 - c4-judge

2023-08-08T05:22:31Z

alcueca changed the severity to QA (Quality Assurance)

#8 - c4-judge

2023-08-08T05:22:39Z

alcueca marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter