Ghost-Finance/g-minter

[WIP][Security] Running security tool to all GHOST contracts

Closed this issue · 1 comments

ctyl3r commented

This issue is a result of running Mythrill on all GHOST contracts:

  • Install and setup Mythrill;

  • Contracts without security problems:

    • Minter.sol;
    • GTokenERC20.sol;
    • DebtPool;
    • UpdateHouse.sol;
    • PositionVault;
    • GSpot.sol
    • CoreMath.sol

  • Contracts with security problems:

    • AuctionHouse.sol:
==== External Call To User-Supplied Address ====
SWC ID: 107
Severity: Low
Contract: AuctionHouse
Function name: auctionFinishCallback(uint256,address,address,address,address,uint256,uint256)
PC address: 4755
Estimated Gas Usage: 4569 - 39515
A call to a user-supplied address is executed.
An external message call to an address specified by the caller is executed. Note that the callee account might contain arbitrary code and could re-enter any function within this contract. Reentering the contract in an intermediate state may lead to unexpected behaviour. Make sure that no state modifications are executed after this call and/or reentrancy guards are in place.
--------------------
In file: contracts/AuctionHouse.sol:155

minter.auctionFinish(id, user, tokenCollateral, synthToken, collateralBalance, synthAmount)

--------------------
Initial State:

Account: [CREATOR], balance: 0x801080800000001, nonce:0, storage:{}
Account: [ATTACKER], balance: 0x0, nonce:0, storage:{}

Transaction Sequence:

Caller: [CREATOR], calldata: , value: 0x0
Caller: [ATTACKER], function: auctionFinishCallback(uint256,address,address,address,address,uint256,uint256), txdata: 0xb8509a580000000000000000000000000000000000000000000000000000000000000000000000000000000000000000deadbeefdeadbeefdeadbeefdeadbeefdeadbeef00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, value: 0x0

==== Dependence on predictable environment variable ====
SWC ID: 116
Severity: Low
Contract: AuctionHouse
Function name: start(address,address,address,address,uint256,uint256,uint256,uint256)
PC address: 6832
Estimated Gas Usage: 1955 - 2050
A control flow decision is made based on The block.timestamp environment variable.
The block.timestamp environment variable is used to determine a control flow decision. Note that the values of variables like coinbase, gaslimit, block number and timestamp are predictable and can be manipulated by a malicious miner. Also keep in mind that attackers know hashes of earlier blocks. Don't use any of those environment variables as sources of randomness and be aware that use of these variables introduces a certain level of trust into miners.
--------------------
In file: #utility.yul:342

))
        tail := abi_encode_t_stringliteral_baecc556b46f4ed0f2b4cb599d60785ac8563dd2dc0a5bf12edea1c39e5e1

--------------------
Initial State:

Account: [CREATOR], balance: 0xbc10c0800000000, nonce:0, storage:{}
Account: [ATTACKER], balance: 0x0, nonce:0, storage:{}

Transaction Sequence:

Caller: [CREATOR], calldata: , value: 0x0
Caller: [ATTACKER], function: start(address,address,address,address,uint256,uint256,uint256,uint256), txdata: 0x09a7a43000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, value: 0x0
  • MedianSpacex.sol
==== Integer Arithmetic Bugs ====
SWC ID: 101
Severity: High
Contract: MedianSpacex
Function name: diss(address[])
PC address: 7584
Estimated Gas Usage: 12834 - 53639
The arithmetic operator can underflow.
It is possible to cause an integer overflow or underflow in the arithmetic operation.
--------------------
In file: #utility.yul:440

eq(value, 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff)

--------------------
Initial State:

Account: [CREATOR], balance: 0x20000003, nonce:0, storage:{}
Account: [ATTACKER], balance: 0x0, nonce:0, storage:{}

Transaction Sequence:

Caller: [CREATOR], calldata: , value: 0x0
Caller: [CREATOR], function: diss(address[]), txdata: 0x46d4577d0000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000, value: 0x0
fabiohild commented

All alerts are false positives, in order:

    1. the call is a privileged call from the auction house (trusted caller).
    1. The usage of timestamp poses no risk for the contract in this case.
    1. Function diss is a privileged function, false positive.