Lucene search

K
code423n4Code4renaCODE423N4:2022-07-SWIVEL-FINDINGS-ISSUES-156
HistoryJul 15, 2022 - 12:00 a.m.

Implementation does not exist

2022-07-1500:00:00
Code4rena
github.com
6

Lines of code fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L156
<https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L164&gt;

Vulnerability details

Impact

ZcToken.withdraw and ZcToken.redeem will be reverted.

#Proof of Concept
<https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Tokens/ZcToken.sol#L116&gt;

In ZcToken.withdraw and ZcToken.redeem, it calls redeemer.authRedeem. redeemer can be MarketPlace here. But MarketPlace.authRedeem calls ISwivel(swivel).authRedeem.

<https://github.com/code-423n4/2022-07-swivel/blob/&gt; fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L156
<https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L164&gt;

And authRedeem function is not defined in Swivel contract. So withdraw and redeem of ZcToken will be reverted.

Tools Used

VSCode

Recommended Mitigation Steps

Change authRedeem to authRedeemZcToken in MarketPlace.

  function authRedeem(uint8 p, address u, uint256 m, address f, address t, uint256 a) public authorized(markets[p][u][m].zcToken) returns (uint256 underlyingAmount) {
    Market memory market = markets[p][u][m];
    // if the market has not matured, mature it...
    if (market.maturityRate == 0) {
      if (!matureMarket(p, u, m)) { revert Exception(30, 0, 0, address(0), address(0)); }

      if (!IZcToken(market.zcToken).burn(f, a)) { revert Exception(29, 0, 0, address(0), address(0)); }

-      ISwivel(swivel).authRedeem(p, u, market.cTokenAddr, t, a);
+      ISwivel(swivel).authRedeemZcToken(p, u, market.cTokenAddr, t, a);

      return (a);
    } else {

      if (!IZcToken(market.zcToken).burn(f, a)) { revert Exception(29, 0, 0, address(0), address(0)); }

      uint256 amount = calculateReturn(p, u, m, a);
-      ISwivel(swivel).authRedeem(p, u, market.cTokenAddr, t, amount);
+      ISwivel(swivel).authRedeemZcToken(p, u, market.cTokenAddr, t, amount);

      return (amount);
    }
  }

The text was updated successfully, but these errors were encountered:

All reactions