Platform: Code4rena
Start Date: 07/06/2022
Pot Size: $75,000 USDC
Total HM: 11
Participants: 77
Period: 7 days
Judge: gzeon
Total Solo HM: 7
Id: 124
League: ETH
Rank: 5/77
Findings: 2
Award: $5,595.18
🌟 Selected for report: 1
🚀 Solo Findings: 1
🌟 Selected for report: 0xDjango
5505.9897 USDC - $5,505.99
Control is transferred to the receiver when receiving the ERC777. They are able to transfer the ERC777 to another account, at which time the before and after balance calculation will be incorrect.
uint256 balanceBefore = IERC20(asset()).balanceOf(receiver); if (msg.sender != owner) { _spendAllowance(owner, msg.sender, shares); } _redeemInternal(shares, receiver, owner); ///////////// Control is transferred to user. They can alter their balance here. /////////// uint256 balanceAfter = IERC20(asset()).balanceOf(receiver); uint256 assets = balanceAfter - balanceBefore; ////////// Assets can be as low as 0 if they have transferred the same amount out as received. ////////// emit Withdraw(msg.sender, receiver, owner, assets, shares); return assets;
Manual review
#0 - jeffywu
2022-06-15T12:49:16Z
Control of the contract is not transferred to anyone during a balanceOf call which is read only. No state can be modified.
#1 - fatherGoose1
2022-06-15T14:27:07Z
The control is transferred in _redeemInternal() which calls _burn() on the ERC777 which transfers control.
_burn() function logic here: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/109778c17c7020618ea4e035efb9f0f9b82d43ca/contracts/token/ERC777/ERC777.sol#L390-L400
#2 - jeffywu
2022-06-15T15:12:06Z
Understood, will change to confirmed
🌟 Selected for report: berndartmueller
Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Bronicle, Chom, Cityscape, Deivitto, Funen, GimelSec, GreyArt, IllIllI, JC, Lambda, Meera, Nethermind, Picodes, PierrickGT, Ruhum, Sm4rty, Tadashi, TerrierLover, TomJ, Trumpero, Waze, _Adam, antonttc, ayeslick, c3phas, catchup, cccz, cloudjunky, cryptphi, csanuragjain, delfin454000, dipp, ellahi, fatherOfBlocks, hake, hansfriese, hyh, joestakey, jonah1005, kenzo, minhquanym, oyc_109, sach1r0, saian, simon135, slywaters, sorrynotsorry, sseefried, unforgiven, xiaoming90, z3s, zzzitron
89.1872 USDC - $89.19
Comment indicates that ERC20 tokens are minted for the receiver but the contract inherits from ERC777.
The initialize function lacks access control and can be frontrun.
wfCashERC4626.sol contains a floating pragma. The other wfCash contracts are set to version 0.8.11.
https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashERC4626.sol#L2 https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashLogic.sol#L2 https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashBase.sol#L2
This function has been deprecated in lieu of safeIncreaseAllowance()
https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashBase.sol#L68 https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashBase.sol#L73