Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-07-SWIVEL-FINDINGS-ISSUES-156
HistoryJul 15, 2022 - 12:00 a.m.

Implementation does not exist

2022-07-1500:00:00
Code4rena
github.com
6
zctoken
withdraw
redeem
vulnerability
mitigation
marketplace
implementation
JSON

Lines of code fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L156
<https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L164&gt;

Vulnerability details

Impact

ZcToken.withdraw and ZcToken.redeem will be reverted.

#Proof of Concept
<https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Tokens/ZcToken.sol#L116&gt;

In ZcToken.withdraw and ZcToken.redeem, it calls redeemer.authRedeem. redeemer can be MarketPlace here. But MarketPlace.authRedeem calls ISwivel(swivel).authRedeem.

<https://github.com/code-423n4/2022-07-swivel/blob/&gt; fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L156
<https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Marketplace/MarketPlace.sol#L164&gt;

And authRedeem function is not defined in Swivel contract. So withdraw and redeem of ZcToken will be reverted.

Tools Used

VSCode

Recommended Mitigation Steps

Change authRedeem to authRedeemZcToken in MarketPlace.

  function authRedeem(uint8 p, address u, uint256 m, address f, address t, uint256 a) public authorized(markets[p][u][m].zcToken) returns (uint256 underlyingAmount) {
    Market memory market = markets[p][u][m];
    // if the market has not matured, mature it...
    if (market.maturityRate == 0) {
      if (!matureMarket(p, u, m)) { revert Exception(30, 0, 0, address(0), address(0)); }

      if (!IZcToken(market.zcToken).burn(f, a)) { revert Exception(29, 0, 0, address(0), address(0)); }

-      ISwivel(swivel).authRedeem(p, u, market.cTokenAddr, t, a);
+      ISwivel(swivel).authRedeemZcToken(p, u, market.cTokenAddr, t, a);

      return (a);
    } else {

      if (!IZcToken(market.zcToken).burn(f, a)) { revert Exception(29, 0, 0, address(0), address(0)); }

      uint256 amount = calculateReturn(p, u, m, a);
-      ISwivel(swivel).authRedeem(p, u, market.cTokenAddr, t, amount);
+      ISwivel(swivel).authRedeemZcToken(p, u, market.cTokenAddr, t, amount);

      return (amount);
    }
  }

The text was updated successfully, but these errors were encountered:

All reactions

JSON