Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-09-TRIBE-FINDINGS-ISSUES-239
HistorySep 12, 2022 - 12:00 a.m.

Wrong exchange rates after some time, because It's not possible to change excahngeRates after contract deployments, the rates can be changed after some times in real life but it's not possible to change rates in contract

2022-09-1200:00:00
Code4rena
github.com
3
exchange rates
contract deployment
real-time rates
oracles
JSON

Lines of code
<https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/fuse/RariMerkleRedeemer.sol#L31-L44&gt;

Vulnerability details

Impact

exchange rates are used to calculate amounts of baseToken users received for their cTokens, exchange rates are set when contracts get deployed but it’s not possible to change them after some time, so users would get the wrong exchange rates after some time and contract or users funds would be lost.

Proof of Concept

This constructor() and _configureExchangeRates() code of RariMerkleRedeemer contract:

/// @param token The token that will be received when exchanging cTokens
/// @param cTokens The supported cTokens; must be exactly 27 tokens
/// @param rates The exchange rate for each cToken; must be exactly 27 rates
/// @param roots The merkle root for each cToken; must be exactly 27 roots
constructor(
    address token,
    address[] memory cTokens,
    uint256[] memory rates,
    bytes32[] memory roots
) {
    _configureExchangeRates(cTokens, rates);
    _configureMerkleRoots(cTokens, roots);
    _configureBaseToken(token);
}

// The exchange rates provided should represent how much of the base token will be given
// in exchange for 1e18 cTokens. This increases precision.
function _configureExchangeRates(address[] memory _cTokens, uint256[] memory _exchangeRates) internal {
    require(_cTokens.length == 27, "Must provide exactly 27 exchange rates.");
    require(_cTokens.length == _exchangeRates.length, "Exchange rates must be provided for each cToken");

    for (uint256 i = 0; i &lt; _cTokens.length; i++) {
        require(
            _exchangeRates[i] &gt; 1e10,
            "Exchange rate must be greater than 1e10. Did you forget to multiply by 1e18?"
        );
        cTokenExchangeRates[_cTokens[i]] = _exchangeRates[i];
    }
}

There is other logic to set exchange rates in code and after contract deployment, they can’t be changed. so if the rates change in real life users would get the wrong exchange rate when interacting with the contract and users would receive less or more baseToken for their cTokens.

Tools Used

VIM

Recommended Mitigation Steps

There should be some mechanism to change the exchange rates or the contract should use oracles to find the real-time rates.

The text was updated successfully, but these errors were encountered:

All reactions

JSON