Open code423n4 opened 1 year ago
141345 marked the issue as primary issue
PowVT marked the issue as sponsor acknowledged
These contracts are only indented to be deployed on mainnet.
@PowVT - that may be the case, but it seems it was not clearly documented. I am inclined to award this as M as the warden analyzed the code given the documentation presented and found a valid issue if this code was to be deployed to "EVM blockchains" in general.
thoughts?
0xean changed the severity to 2 (Med Risk)
0xean marked the issue as satisfactory
ok I see, yeah we do say "EVM Chains". But seems more like a QA thing to us.
Considering the sponsors stated in discord this was for mainnet only, I am going to mark this as QA. Its hard to be fair to all wardens in this situation given that some may not have seen the discord message.
0xean changed the severity to QA (Quality Assurance)
bumping the warden QA report to "A"
0xean marked the issue as grade-a
Hi @0xean, The issue #312 was reported based on the information given in the documentation. Documentation mentions that Arcade.xyz
is operated on EVM blockchains
in general.
But it seems the issue has been downgraded based on details provided in the discord which are not conclusive enough due to following reasons.
Arcade.xyz
is operated on EVM blockchains in general.They will be deployed on Mainnet.
only
.contracts will not be deployed in other blockchains
.deployed blockchains
is not conclusive enough to deny the information explicitly given in the documentation which states that Arcade.xyz
is operated in EVM blockchains
in general.Hence based on the above provided reasons I would like to kindly request to reconsider the severity of this issue and consider escalating it to a medium since the warden has submitted the bug based on the information provided to him.
Note : If in the documentation the EVM blockchains
was not mentioned explicitly, then i agree that the provided information in the discord is enough to conclude that the contracts will be deployed on the mainnet only.
But since in the documenation it explicitly states EVM blockchains
and the given information in the discord does not conclusively deny this fact, I would kindly request to reconsider the severity of the reported issue #312.
As a humble request, I would like to suggest that the official documentation provided, should be given the priority in future contests and if there is a discrepency between the documentation and the actual implementation it should be clearly mentioned atleast as a pinned message in the discord so every warden is clearly alerted of the change. This will save both time and effort of all the stake holders involved in the contest and negate any confusion. If above is not followed then the wardens should be given the benefit of the doubt since they invest lot of time and effort into reporting bugs based on the provided information.
This issue is invalid.
I would like to add that this is a generic, common issue that is usually reported by bots. It wasn't reported in the automated findings, as the contracts are deployed only on mainnet.
Also note that:
- Does it use a side-chain?: False
Please consider the following comments:
Arcade.xyz is a platform for autonomous borrowing, lending, and escrow of NFT collateral on EVM blockchains.
which creates possibility of future deployment into other EVM blockchains.They will be deployed on Mainnet
which does not include the only mainnet
part and as a result does not explicitly deny the statement given in the documentation, as explained in my previous comment.I will accept the final judgment which will be given by the judge on this regard without further dispute.
Hello
This is a great report but I would politely side with @0xean judge
there is insufficient evidence to support this claim and assumption in the original report
Hence the protocol will be used in the EVM layer2 solutions such as optimism and arbitrum as well.
https://docs.arcade.xyz/docs/architecture
The Arcade Protocol is a set of smart contracts deployed on the Ethereum blockchain that facilitates trustless peer to peer borrowing, lending, and escrow of NFT assets.
and sponsor confirm the "only mainnet" deployment.
I am going to leave this as graded.
As more and more EVM based chains launch, there is going to be more potential issues with writing solidity that is generic enough for them all (hooks, block timing, etc).
I do think c4 should do a better job in screening contests so its explicit which chains are in or out of scope and will ask the team if that can be added to the standard list of questions in a way that is more clear (IE not side chains vs L1s L2s, etc).
I think it should read "Which blockchains will this code be deployed to and are considered in scope for this audit?"
There is no perfectly fair outcome here and for that all we can do is make the process better next time.
Lines of code
https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/ArcadeTreasury.sol#L386 https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/ArcadeTreasury.sol#L360 https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/ARCDVestingVault.sol#L106 https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/external/council/CoreVoting.sol#L15-L24 https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/external/council/CoreVoting.sol#L167-L170
Vulnerability details
Impact
The
ArcadeTreasury._spend
andArcadeTreasury._approve
functions are used tospend
andapprove
tokens from the treasury respectively. Both the above mentioned functions use theblock.number
as thekey value
in theblockExpenditure
mapping to store theamount of tokens
spent within the current block. TheblockExpenditure[block.number]
value can not be greater than thelimit
which is passed into the function. This condition is enforced as follows:The documentation of the protocol states that this protocol is implemented on EVM blockchains as show below:
Hence the protocol will be used in the EVM layer2 solutions such as
optimism
andarbitrum
as well.But the problem here is that on Optimism, the
block.number
is not a reliable source of timing information and the time between each block is also different from Ethereum. This is because each transaction is it's own block inoptimism
and blocks are not produced at a constant rate.Hence the above conditional check on
blockExpenditure[block.number]
tocap
the expenditure within a specific block will be deemed useless sinceeach transaction has its own block.number
. Hence the purpose of this check, which is to limit the amount of tokens spent from the treasury, within a certain block, is not properly implemented inoptimism
.The same concern is applicable to
arbitrum
as well.Similarly in the
ARCDVestingVault.addGrantAndDelegate
function, if thestartTime
input parameter is set to zero then thestartTime
will be made theblock number
which the tx is in, as shown below:And the subsequent
timestamps
such as theexpiration
andcliff
are all using theblock.number
of respective blocks, as a measure of time. As it was explained earlier theblock.number
is not a reliable source of timing information on layer2 EVM chains such asoptimism
andarbitrum
.For an example when the user is using the same protocol in
mainnet
andoptimism
he will experience much shorter time durations with regard tostartTime
,cliff
andexpiration
inoptimism
. This could break the core functionality of the protocol, create confusion and lower the user experience.Similarly the
ArcadeGSCCoreVoting
contract is inheriting from theCoreVoting
contract. TheCoreVoting
contract has calculatedDAY_IN_BLOCKS
value as6496
by assuming the block time of13.3 seconds
. The subsequent vlaueslockDuration
,extraVoteTime
are calculated using theDAY_IN_BLOCKS
value.These values are used in conditinal checks of the critical function
CoreVoting.proposal
as shown below:This is to ensure that the expiration timestamp of the proposal is valid. But since we are using the
DAY_IN_BLOCKS = 6496
to calculate the abovetimelines
, it provides inaccurate time measurements when used withoptimism
andarbitrum
. This is because theblocks are not produced at a constant rate
inoptimism
andarbitrum
. Hence this will break the core functionality of theCoreVoting.proposal
function as far as the timestamps are concerned.Proof of Concept
https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/ArcadeTreasury.sol#L386
https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/ArcadeTreasury.sol#L360
https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/ARCDVestingVault.sol#L106
https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/external/council/CoreVoting.sol#L15-L24
https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/external/council/CoreVoting.sol#L167-L170
Tools Used
Manual Review and VSCode
Recommended Mitigation Steps
It is recommended to use
epoch
based implementation usingblock.timestamp
to store theblockExpenditure
details within a certainepoch
duration, for more accurate measurement of time, instead of usingblock.number
.Hence it is recommended to consider using
block.timestamp
instead ofblock.number
for more accurate measurement of time.Assessed type
Other