Findings

Created by Tony Romanelli, Modified on Tue, 25 Feb at 11:47 AM by Tony Romanelli

The identification of a system bug, security vulnerability or a "Finding", is a documented instance of a potential security threat identified within a software system or application. This typically includes details such as the nature of the vulnerability, its location in the code base, the potential impact on system integrity and recommended remediation.

The Findings section in the Cantina Code Repository provides a convenient way to interact with findings by allowing the security researcher to:

Navigate, sort, label and comment on findings.
Submit, edit, and withdraw a finding.

Smart contract vulnerability findings interface.

Cantina repository findings section

Finding Submission Process

There are two ways to start the finding submission process. By Highlighting code during a Code Reviewor clicking the "New Finding" button in the top right corner of the Findings section.

To submit a finding the following fields must be filled unless optional.

Severity: Extent of the damages or consequences caused if this were to be exploited. This metric is a product of other factors like Likelihood and Impact, it helps in understanding how critical the vulnerability is and determine the urgency of the remediation efforts. Severity levels often range from Critical (causing severe damage, such as loss of funds, denial of services, system failures..) to Low (resulting in minimal impact with no severe consequences).
Likelihood (optional): The probability of this vulnerability being exploited or triggered.
Impact (optional): Potential consequences if this were to be exploited or triggered.
Title: A concise label or headline for the finding. The title should be informative and quickly convey the essence of the vulnerability, making it easy for anyone to understand the nature of the issue at a glance.
Description: A detailed explanation which must clearly describe the existence of a problem, its cause and consequences using any available means to communicate the point such as tests, proofs of concept or Diagrams & Formulas.
- Select template: Standard templates providing a structured writing format.

You can Add code to existing finding if it does not contain a highlighted area of code.

Security vulnerability submission interface.

submit a finding

When the finding is submitted it will be displayed in the Findings section of the interface.

Labels are user made tags which can be assigned to a finding. Each Cantina Code repository can have its own custom tags and the permissions of allowing a user to create or modify a tag depend on the circumstances of the engagement and security review type.

Security finding status labels and management interface.

Statuses represent the state of a finding. The importance of each status is dependent on the type of security review and by the Cantina Repository administrator priorities. The image below represents a finding with a Confirmed status.

Good writing skills are important to communicate complex ideas, ensuring that the reader fully understands the vulnerability's significance and urgency. Below we provide two examples to follow as a guideline when submitting Findings.

Good

A good finding report clearly explains

What is the issue.
How / Why is it happening.
Where exactly is the vulnerable code located and which logic does it connect to.
How to reproduce it with a Proof Of Concept.
How it can be remediated.

In the image below you will find a finding submission by cantina.xyz/u/cmichel. Lets dissect why this is a good finding and why you should follow this standard.

Detailed security finding with code and explanation.

Example of good finding

Clearly describes what the issue.

The supply and withdraw functions can increase the supply share price (totalSupplyAssets / totalSupplyShares). If a depositor uses the shares parameter in supply to specify how many assets they want to supply they can be tricked into supplying more assets than they wanted. It's easy to inflate the supply share price by 100x through a combination of a single supply of 100 assets and then withdrawing all shares without receiving any assets in return.

Clearly describes why is it happening.

The reason is that in withdraw we compute the assets to be received as assets = shares.toAssetsUp(market[id].totalSupplyAssets, market[id].totalSupplyShares);. Note that assets can be zero and the withdraw essentially becomes a pure burn function.

Clearly points to the vulnerable line using the Highlighting code feature.

Highlighted line of code

Provides a Proof Of Concept for anyone to reproduce and verify the vulnerability.

function testSupplyInflationAttack() public {
  vm.startPrank(SUPPLIER);
  loanToken.setBalance(SUPPLIER, 1 * 1e18);

  // 100x the price. in the end we end up with 0 supply and totalAssets = assets supplied here
  morpho.supply(marketParams, 99, 0, SUPPLIER, "");

  uint256 withdrawals = 0;
  for (;; withdrawals++) {
      (uint256 totalSupplyAssets, uint256 totalSupplyShares,,) = morpho.expectedMarketBalances(marketParams);
      uint256 shares = (totalSupplyShares + 1e6).mulDivUp(1, totalSupplyAssets + 1) - 1;
      // burn all of our shares, then break
      if (shares > totalSupplyShares) {
          shares = totalSupplyShares;
      }
      if (shares == 0) {
          break;
      }
      morpho.withdraw(marketParams, 0, shares, SUPPLIER, SUPPLIER);
  }
  (uint256 totalSupplyAssets, uint256 totalSupplyShares,,) = morpho.expectedMarketBalances(marketParams);
  console2.log("withdrawals", withdrawals);
  console2.log("totalSupplyAssets", totalSupplyAssets);
  console2.log("final share price %sx", (totalSupplyAssets + 1) * 1e6 / (totalSupplyShares + 1e6));

  // without inflation this should mint at initial share price of 1e6, i.e., 1 asset
  (uint256 returnAssets,) = morpho.supply(marketParams, 0, 1 * 1e6, SUPPLIER, "");
  console2.log("pulled in assets ", returnAssets);
}

Provides a remediation for the client.

Suppliers should use the assets parameter instead of shares whenever possible. In the other cases where shares must be used, they need to make sure to only approve the max amount they want to spend. Alternatively, consider adding a slippage parameter maxAssets that is the max amount of assets that can be supplied and transferred from the user. This attack of inflating the supply share price is especially possible when there are only few shares minted, i.e., at market creation or when an attacker / contracts holds the majority of shares that can be redeemed.

Competitions Finding Format

For Competitions, please use the Detailed template when submitting a finding.

Vulnerability report template structure.

Bad

The finding below is an example of a bad finding submission.

The description is generic, nonsensical because it shows lack of understanding of the protocol, does not clearly state the exact problem nor why is it happening.
It does not point to the lines of code affected.
It does not provide a Proof Of Concept.

Security issue report with severity indicators.

Example of bad finding