Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-01-TIMESWAP-FINDINGS-ISSUES-75
HistoryJan 05, 2022 - 12:00 a.m.

vulnerability

2022-01-0500:00:00
Code4rena
github.com
9
JSON

Handle

0v3rf10w

Vulnerability details

In technical terms, Timeswap is an automated protocol based on the use of liquidity pools and implemented on the Ethereum blockchain. Users create liquidity pools with the participation of smart contracts. One pool is one marketplace providing exchange in a pair of compatible ERC-20 tokens.

The exchange lacks the usual centralized tools - order books, centralized matching, intermediation tools. Pools are automatically managed by smart contracts, and this applies to adding tokens as well as trading them.

Timeswap is open source. The software is licensed under the GPL (General Public License).

Anyone can become a liquidity provider for an existing pool or create a new one. To do so, it is necessary to deposit the value of each underlying token. In return for the deposit, the participant receives tokens of the pool - a kind of shares, which determine the proportional ratio of the user’s contribution to the total content of the liquidity pool. Later, at any moment, these tokens can be redeemed for the underlying asset.

How Timeswap works
How the market based on the automatic market maker works:

The similarity with classical exchanges working with order books ends with the fact that there are also trading pairs, for example, ETH/USDT.
To make a trade, the user does not have to wait for a trader with a counter offer to appear “on the other side”.
The market is organized automatically by means of a smart contract, which guarantees the execution of the transaction and the input/output of assets.
While on decentralized exchanges with order books (like Binance DEX) transactions are directly between users’ wallets, AMM uses the peer-to-contract (P2C) principle - users send funds to the contract and receive from the same. To work with the platform you will need to connect a web3 wallet available options - Metamask.
The current market price of the asset is determined by a formula embedded in the smart contract.
The liquidity in the protocol is created by the users (the so-called liquidity providers).

The Timeswap exchange provides a simple and affordable way to exchange ERC-20 tokens. From a user perspective, the process is intuitive. A brief overview of how the system works:

You need to select the coin to be given and the coin to be received.
Set the amount to be given away.
The protocol will automatically calculate how much at the current rate the user will receive at the output.
The user confirms the transaction in his wallet and makes the exchange, instantly getting the output asset into his wallet.
On a basic level, all transactions in Timeswap occur within a single function called swap. Each liquidity pool is a trading floor for a pair of ERC-20 tokens. At the time a contract relating to a new pool is created, the balances of each token are zero.

In order for trades to begin within the pool, a participant must make an initial deposit of each token. The first liquidity provider and sets the initial asset price ratio in the pool by depositing an equal amount of both tokens. When other liquidity providers add money to the existing pool, they deposit it in proportion to the available rate so as not to create an arbitrage situation - a large difference between the value on Timeswap and on third-party platforms.

The code of the decentralized exchange positioned as “evolution” contains ten vulnerabilities, but none of them is critical. These are the conclusions of a smart contract audit.

Two of the vulnerabilities are moderate in nature, three are of minor risk, and the remainder are more informational.

One of the two vulnerabilities that deserves close attention has to do with the ability to re-add the liquidity provider (LP) token. In this case, the reward variables are zeroed out.

The second vulnerability points to the risk of misappropriation of funds, which is increased when the owner’s private key is compromised. In a worst-case scenario, this could result in the transfer of all LP tokens to an arbitrary address. But that won’t happen until two days later, which gives enough time to prevent such a situation.

Among the problems that have a lower risk ranking is also the potential for a lack of gas for commissions in the massUpdatePools protocol when a large number of tokens are added.

The text was updated successfully, but these errors were encountered:

All reactions

JSON