Back to 0xHarry's contests

Golom contest - 0xHarry's results

An NFT marketplace that offers the lowest industry fee, a publicly available order-book along with analytical tools.

General Information

Platform: Code4rena

Start Date: 26/07/2022

Pot Size: $75,000 USDC

Total HM: 29

Participants: 179

Period: 6 days

Judge: LSDan

Total Solo HM: 6

Id: 148

League: ETH

Golom

Findings Distribution

Researcher Performance

Rank: 76/179

Findings: 2

Award: $130.02

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryGolom

Findings Information

🌟 Selected for report: cloudjunky

Also found by: 0x1f8b, 0x4non, 0x52, 0xDjango, 0xHarry, 0xNazgul, 0xNineDec, 0xf15ers, 0xsanson, 0xsolstars, 8olidity, Bnke0x0, CertoraInc, Chom, Deivitto, Dravee, GalloDaSballo, GimelSec, IllIllI, Jmaxmanblue, JohnSmith, Jujic, Kenshin, Krow10, Lambda, MEP, Noah3o6, RedOneN, Ruhum, StErMi, StyxRave, TomJ, Treasure-Seeker, TrungOre, _Adam, __141345__, arcoun, asutorufos, bardamu, bearonbike, bin2chen, brgltd, bulej93, c3phas, cRat1st0s, carlitox477, cccz, codexploder, cryptonue, cryptphi, cthulhu_cult, dharma09, dipp, djxploit, durianSausage, ellahi, giovannidisiena, hansfriese, horsefacts, hyh, immeas, indijanc, jayjonah8, jayphbee, joestakey, kenzo, kyteg, ladboy233, minhquanym, navinavu, obront, oyc_109, peritoflores, rbserver, reassor, rokinot, rotcivegaf, saian, scaraven, shenwilly, simon135, sseefried, teddav, zzzitron

Awards

0.0037 USDC - $0.00

Labels

bug
duplicate
2 (Med Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/core/GolomTrader.sol#L154

Vulnerability details

Impact

The use of .transfer in https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/core/GolomTrader.sol#L154) to send ether is now considered bad practice as gas costs can change which would break the code.

Proof of Concept

See stop using soliditys transfer now, and istanbul hardfork eips increasing gas costs and more.

Recommend using call instead, and make sure to check for reentrancy.

#0 - KenzoAgada

2022-08-03T14:09:32Z

Duplicate of #343

Findings Information

🌟 Selected for report: cccz

Also found by: 0x1f8b, 0xHarry, AuditsAreUS, djxploit, jayjonah8, joestakey, teddav

Labels

bug
duplicate
2 (Med Risk)

Awards

130.0175 USDC - $130.02

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/core/GolomTrader.sol#L177

Vulnerability details

Impact

In validateOrder, require(signaturesigner == o.signer, "invalid signature") will return true when o.signer is set to address(0) and as EVM’s ecrecover function returnsaddress(0) if a signature is invalid.

Recommend using OpenZeppelin’s ECDSA library

Recommend adding this check to validateOrder(): require(signer != address(0), "Cannot verify signatures from 0x0");

#0 - KenzoAgada

2022-08-04T06:19:00Z

Warden doesn't describe the actual issue / what will happen if o.signer is set to address 0

#1 - KenzoAgada

2022-08-05T02:01:42Z

Also duplicate of #357

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter