Platform: Code4rena
Start Date: 14/06/2022
Pot Size: $100,000 USDC
Total HM: 26
Participants: 59
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 9
Id: 133
League: ETH
Rank: 15/59
Findings: 9
Award: $2,001.96
🌟 Selected for report: 0
🚀 Solo Findings: 0
1207.2233 CANTO - $194.97
194.9666 USDC - $194.97
One can steal WETH from other users using approve function. Using this, eventually, any amount of ETH deposited in the WETH contract can be stolen.
link to gist containing remix replay
In this scenario, account1(0x5B38Da6a701c568545dCfcB03FcB875f56beddC4) deposit 1 ether to get 1 WETH. the account2 (0xAb8483F64d9C6d1EcF9b849Ae677dD3315835cb2) use approve(account1, account2) function to approve themself 1 WETH from account1. Consequently, calls transferFrom(account1, account2, 1ether) to get the 1ether.
(Not in the replay) The account1 then, gets the real ether by using withdraw(1ether).
remix
Add some check for the msg.sender in the approve function.
#0 - tkkwon1998
2022-06-21T23:37:35Z
duplicate of issue #19
#1 - GalloDaSballo
2022-08-07T21:37:13Z
Dup of #19
🌟 Selected for report: Soosh
Also found by: 0x1f8b, Ruhum, TerrierLover, WatchPug, cccz, csanuragjain, hake, p4st13r4, zzzitron
782.2807 CANTO - $126.34
126.3383 USDC - $126.34
Anyone can add proposal.
These proposals are used later to be executed by timelock in GovernorBravoDelegate. (However, it is unclear whether the code works as intended: see the QA report "Upon queue executed true in GovernorBravoDelegate").
Possible exploits:
GovernorBravoDelegate to use up the max proposal, which will delay any further proposal/executeThis remix replay shows that one can add proposals without any access control.
remix
Presumably, the OnlyUniGov modifier should be used for this function.
#0 - nivasan1
2022-06-23T02:12:53Z
duplicate of #26
#1 - GalloDaSballo
2022-08-07T21:37:32Z
Dup of #26
🌟 Selected for report: p4st13r4
Also found by: Ruhum, TerrierLover, WatchPug, hansfriese, zzzitron
320.9326 USDC - $320.93
1987.1989 CANTO - $320.93
The totalSupply does not follow standard, and shows wrong information It is submitted as medium because this information may result in bigger problem who is using this information.
One can see In the same example as insecure approve in WETH report (gist link to the remix replay). There should be totalSupply of 1 ether after the account1 depositted 1ether, as one can check with balanceOf(account1), but the totalSupply shows 0.
remix
One may use the total balance of the ether depositted in the contract as totalBalance.
#0 - ecmendenhall
2022-06-21T22:28:00Z
#1 - nivasan1
2022-06-23T21:14:10Z
duplicate of #191
247.5766 USDC - $247.58
1532.982 CANTO - $247.58
Judge has assessed an item in Issue #275 as High risk. The relevant finding follows:
#0 - GalloDaSballo
2022-08-13T00:06:11Z
Upon queue executed true in GovernorBravoDelegate link When a new proposal is queued, the executed is set to be true. This is checked in the state function and when true, it will return ProposalState.Executed. Which means any proposal which was queued can actually never be executed. However, due to lack of existing tests and time constraints, is not confirmed.
#1 - GalloDaSballo
2022-08-13T00:06:23Z
Dup of #39
🌟 Selected for report: joestakey
Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xf15ers, 0xmint, Bronicle, Dravee, Funen, JMukesh, Limbooo, MadWookie, Picodes, Ruhum, TerrierLover, TomJ, Tutturu, WatchPug, Waze, _Adam, asutorufos, c3phas, catchup, cccz, codexploder, cryptphi, csanuragjain, defsec, fatherOfBlocks, gzeon, hake, hansfriese, hyh, ignacio, k, nxrblsrpr, oyc_109, robee, sach1r0, saian, simon135, technicallyty, zzzitron
687.9945 CANTO - $111.11
111.2113 USDC - $111.21
unigov in lending-market, for example). It was hard to test.GovernorBravoDelegator should be used with GovernorBravoDelegate as implementation.
However, due to lack of corresponding functions, some exposed functions will not work.
_acceptInitialAdmin does not exist in GovernorBravoDelegate_initiate() does not exist in GovernorBravoDelegate but only _initiate(address governorAlpha). The number of arguments does not match.queue executed true in GovernorBravoDelegateexecuted is set to be true. This is checked in the state function and when true, it will return ProposalState.Executed. Which means any proposal which was queued can actually never be executed. However, due to lack of existing tests and time constraints, is not confirmed.createPair lack of access control in BaseV1-corecreatePair is used to deploy a contract for a token pairs. And any one can create such a pair, also decide to give stable flag true or false. It is unclear whether it was intended usage or not, nor it is tested and confirmed.BaseV1-coresample function, the argument window should be checked to be greater than 0, otherwise, it might revert from division by zero.ComptrollerProposal-Store.solProposalStore does not describe the contract.BaseV1-coreMKR returns base32 for the symbol which will revert when used for the standard ERC20 interface. It is safer to use either wrapper or try catch.#0 - GalloDaSballo
2022-08-03T23:54:43Z
This is incorrect per how the "delegation" works, via fallback meaning, existing function in the Delegator work normally
Valid Low and potentially higher -> TODO: Bump
Disagree as pair creation in an AMM is crucial and permissionless creation is an acceptable design decision
NC as it's self DOS
Hardcoded is cheaper
NC
Nice find, potentially higher sev - Low for now
Your effort shows and I think you did a good job, I'd recommend providing objective feedback over personal story-telling "I had issues with he codebase".
Perhaps: "The codebase could use more thorough commenting" would work better
2L 2NC