Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardcoded liquidity #107

Closed
c4-submissions opened this issue Nov 26, 2023 · 6 comments
Closed

Hardcoded liquidity #107

c4-submissions opened this issue Nov 26, 2023 · 6 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality primary issue Highest quality submission among a set of duplicates unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-11-zetachain/blob/2834e3f85b2c7774e97413936018a0814c57d860/repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerTrident.strategy.sol#L203

Vulnerability details

Hardcoded false Boolean with unimplemented business logic.

Impact

When other contract interact with ZetaTokenConsumerTrident.strategy.sol and call the hasZetaLiquidity, it will always return false regardless if there is liquidity in the pool. It provides falsified information to user.

Tools Used

Manual Review

Recommended Mitigation Steps

Add business logic similar to other dex contracts which actually checks for liquidity and return the correct boolean:

repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerUniV2.strategy.sol
repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerUniV3.strategy.sol
repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerPancakeV3.strategy.sol

Assessed type

Context
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 26, 2023
c4-submissions added a commit that referenced this issue Nov 26, 2023
@c4-submissions
eeshenggoh issue #107
864c005
@c4-pre-sort
Copy link

DadeKuma marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Dec 18, 2023
@c4-pre-sort c4-pre-sort mentioned this issue Dec 18, 2023
Closed
@c4-pre-sort c4-pre-sort added the insufficient quality report This report is not of sufficient quality label Dec 18, 2023
@c4-pre-sort
Copy link

DadeKuma marked the issue as insufficient quality report

@DadeKuma
Copy link

QA at best

@c4-judge c4-judge closed this as completed Jan 7, 2024
@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Jan 7, 2024
@c4-judge
Copy link

c4-judge commented Jan 7, 2024

0xean marked the issue as unsatisfactory:
Overinflated severity

@goheesheng
Copy link

The problem is that if there is liquidity, the called function will return false information. Hence my report.

@DadeKuma
Copy link

There is a TODO comment that explicitly says that the logic is not implemented yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality primary issue Highest quality submission among a set of duplicates unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@DadeKuma @goheesheng @c4-judge @c4-pre-sort @c4-submissions