SJIP 11: New Report Template

[Evert0x]

Description

Introduce new report template

Judging Guidelines PR

sherlock-protocol/sherlock-v2-docs#35

Rationale

This proposal is to create a new standard for issue submissions.

The current report standard provides little guidance and allows for free-form writing. Both aspects are identified as a core reason for inefficiencies and frustrations in the process. To give some examples

1. Watsons might not be fully aware of the judging guidelines; they will leave out critical information in their reports, resulting in invalidation

2. During the judging, the judges are forced to interpret a wide variety of styles in reports and match them against the judging guidelines. This interpretation process is not only tedious but also error-prone.

3. The previous points are a main firestarter for escalation wars, a process that no one wants to spend their time on.

4. Standardization allows for better tooling to help deduplication, for example.

5. Forcing people to write things a certain way will make them second-guess whether their discoveries are actually true. We believe this effect will also result in better and more accepted reports.

6. Watson spend a lot of time writing reports instead of auditing

The new standard guides the Watson into making an excellent report, forcing the Watson to think deeply about the issue.

Important

The standard will not be strictly enforced. Any deviation from the standard will not affect the judging outcome.

The Standard

View here how it would look like in a contest repo.

As you can see here, the current template will also be available.

A few examples of reports that were translated into the new format

• Perpetual #118
• Perpetual #123
• Titles #264
• Titles #269

Relevant Issue Discussions

All

[IllIllI000]

For perp-118, it's specific to only one of the LP types, there are pre-conditions, and the attack is slightly misstated. Updated:

update

---
original: https://github.com/sherlock-audit/2024-02-perpetual-judging/issues/118
---

# The attacker will steal funds from SpotHedgeBaseMaker LPs

### Summary

Calculating the price based on USD value and not USDT/USDC will cause loss of funds for SpotHedgeBaseMaker LPs as the attacker will withdraw more funds during the USDC/USDT de-peg.


### Root Cause

The choice to denominate all the tokens value in USD is a mistake as USDT/USDC (collateral tokens) are susceptible to de-pegs and allow to withdraw more value than the attacker should be able to.


### Internal pre-conditions

1. The vault LP account (PnL for all of the SpotHedgeBaseMaker's LPs) has a non-zero collateral token balance
2. The SpotHedgeBaseMaker has a non-zero base token balance
3. The attacker holds LP shares worth less than or equal to the SpotHedgeBaseMaker's base tokens holding's value

### External pre-conditions

1. The USDC/USDT price to be less than $1


### Attack Path:

1. The attacker calls [`withdraw`] during USDC/USDT 30% de-peg for an amount less than or equal to the base token balance, but the collateral tokens are still valued as if there's no de-peg (100% instead of 70%).


### Impact

The other LPs suffer an approximate loss of 30% when the collateral tokens need to be swapped to base tokens. The attacker gains this 30%, having not had to do the swap.


### PoC

-


### Mitigation

Use the \<quote-token>/USD oracle to convert the \<base-token>/USD price to a \<base-token>/\<quote-token> oracle

[WangSecurity]

I agree with this modifications. This report is on me, in the time of writing thought it would be quite obvious, but agree it would be better to include these changes.

[IllIllI000]

The 'As you can see here' link returns a 404

[Evert0x]

Fixed

[IllIllI000]

Are code snippets no longer necessary? If they are, which areas are required to have them? Are code links required anywhere?

[WangSecurity]

In any section you can leave a link to the code (root cause, attack path, even in pre-conditions if it allows on the admin setting a value), but it's a good idea to mention that leaving links to code is still requirement.

[itsabinashb]

What does external precondition actually means? Is it like for example a vulnerability can only be exploited if an user deposits some asset in the vault ?

[WangSecurity]

External pre-conditions are the pre-conditions inside other protocols the contest's codebase integrates with. For example, we have the codebase A, which integrates with Velodromes pools and for the attack to be possible, USDC/ETH pool has to have $3M TVL for example. This would be an external pre-condition. If you need more clarification please ask. Maybe if you can provide controversial example, it would be interesting.

About users depositing into the contest's codebase vault, then it's internal pre-condition.

[Evert0x]

Any counterarguments for completely removing the old report template? Once merged, you can only submit issues using the new template.

[IllIllI000]

should only be required for contests started after merge+announcement