search

code-423n4 / 2022-07-swivel-findings

0 stars 1 forks source link

Implementation does not exist #156

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-07-swivel/blob/ fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L156 https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L164

Vulnerability details

Impact

ZcToken.withdraw and ZcToken.redeem will be reverted.

Proof of Concept

https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Tokens/ZcToken.sol#L107 https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Tokens/ZcToken.sol#L116

In ZcToken.withdraw and ZcToken.redeem, it calls redeemer.authRedeem. redeemer can be MarketPlace here. But MarketPlace.authRedeem calls ISwivel(swivel).authRedeem.

https://github.com/code-423n4/2022-07-swivel/blob/ fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L156 https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L164

And authRedeem function is not defined in Swivel contract. So withdraw and redeem of ZcToken will be reverted.

Tools Used

VSCode

Recommended Mitigation Steps

Change authRedeem to authRedeemZcToken in MarketPlace.

  function authRedeem(uint8 p, address u, uint256 m, address f, address t, uint256 a) public authorized(markets[p][u][m].zcToken) returns (uint256 underlyingAmount) {
    Market memory market = markets[p][u][m];
    // if the market has not matured, mature it...
    if (market.maturityRate == 0) {
      if (!matureMarket(p, u, m)) { revert Exception(30, 0, 0, address(0), address(0)); }

      if (!IZcToken(market.zcToken).burn(f, a)) { revert Exception(29, 0, 0, address(0), address(0)); }

-      ISwivel(swivel).authRedeem(p, u, market.cTokenAddr, t, a);
+      ISwivel(swivel).authRedeemZcToken(p, u, market.cTokenAddr, t, a);

      return (a);
    } else {

      if (!IZcToken(market.zcToken).burn(f, a)) { revert Exception(29, 0, 0, address(0), address(0)); }

      uint256 amount = calculateReturn(p, u, m, a);
-      ISwivel(swivel).authRedeem(p, u, market.cTokenAddr, t, amount);
+      ISwivel(swivel).authRedeemZcToken(p, u, market.cTokenAddr, t, amount);

      return (amount);
    }
  }
JTraversa commented 2 years ago

Duplicate of #39

bghughes commented 2 years ago

Duplicate of #39