DanielVF

Impact

CRITICAL! Almost all USDC liquidity on the REKT/USDC uniswap pool can be stolen, due to an authorization issue with burnFrom() on the REKT token.

Background

Uniswap v2 pools get the prices for their swaps by comparing the relative amounts of each of the two tokens that they hold. If the pool holds very little of token A, and a lot of token B, then it only takes a little of token A to buy a lot of token B.

Currently REKT and USDC are fairly priced in the pool. If there were to suddenly be very little REKT in the pool, but the same amount of USDC, then very little REKT would be able to buy a lot of USDC.

DanielVF

DanielVF

DanielVF

DanielVF

#!/opt/homebrew/bin/fish

# Usage:
# ./compare_live.fish CONTRACT_ADDRESS

# Config
set SRC_DIR /PATH/TO/REPO/CONTRACTS
set OZ_DIR $SRC_DIR/node_modules

# Download

DanielVF

External partners & security tooling

Here's my opinionated philopshy on external audits and security providers. This is very specific to our current position - it's not the approach for every project.

1. Internal expertise

We should never rely on external partners for our security. External partners provide additional checks, but if they find a critical, we aren't doing our job as we should be. If we miss something real and anyone downstream catches it, we should prioritize adjusting our processes to ensure that that category of issue is caught internally, every time in the future.

Some parts of the code matter more than others. We have a contract architecture that means that big pieces of our system of contracts can't lose user funds from a bug, and thus have lower security requirements. Other parts have well known interfaces which mean as long as that one or two guarantees hold, the rest can do minimal damage.

DanielVF

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

/**
 * @title OUSD Vault Contract
 * @notice The Vault contract stores assets. On a deposit, OUSD will be minted
           and sent to the depositor. On a withdrawal, OUSD will be burned and
           assets will be sent to the withdrawer. The Vault accepts deposits of
           interest from yield bearing strategies which will modify the supply
           of OUSD.

DanielVF

This vis code is not generalized - you will need to change it to extra the code you want.

Get changes:

git log --pretty=format:%H --reverse NAMEOFBRANCH -- contracts/vault/VaultCore.sol | xargs -n 1 -I {} git show {}:contracts/contracts/vault/VaultCore.sol | grep -A 150 'function NAME_OF_FUNCTION' >versions.txt

python animate.py

DanielVF

pragma solidity >=0.8.17;

// Cursed ERC20 that does everything in events.
// by @danielvf, based solmate by @transmissions11

abstract contract ERC20 {
    event Transfer(address indexed from, address indexed to, uint256 amount);
    event Approval(address indexed owner, address indexed spender, uint256 amount);

    string public name;

DanielVF

From: REDACTED

Hello Team, Hope you are doing well!

Vulnerable URL:

https://github.com/OriginProtocol/origin-dollar/blob/master/contracts/contracts/strategies/CompoundStrategy.sol