Platform: Code4rena
Start Date: 06/03/2023
Pot Size: $36,500 USDC
Total HM: 8
Participants: 93
Period: 3 days
Judge: cccz
Total Solo HM: 3
Id: 218
League: ETH
Rank: 74/93
Findings: 1
Award: $21.70
π Selected for report: 0
π Solo Findings: 0
π Selected for report: adriro
Also found by: 0x1f8b, 0xAgro, 0xSmartContract, 0xfuje, 0xkazim, 0xnev, Aymen0909, Bason, Cyfrin, DadeKuma, LethL, Madalad, MohammedRizwan, Rolezn, SAAJ, SunSec, Udsen, Yukti_Chinta, ast3ros, bin2chen, brgltd, bshramin, btk, bugradar, catellatech, cryptostellar5, descharre, dontonka, erictee, fatherOfBlocks, georgits, glcanvas, hl_, horsefacts, igingu, juancito, lukris02, martin, nadin, nomoi, peanuts, pipoca, sakshamguruji, seeu, slvDev, tnevler, zaskoh
21.7018 USDC - $21.70
| ID | Title | Severity |
|---|---|---|
| [L-01] | Setting the constructor to payable | Low |
| [L-02] | A single point of failure | Low |
| [L-03] | Use the safe variant and ERC721.mint | Low |
| [L-04] | getReward can be called by everyone and front running | Low |
RNSourceBase.sol constructor and stakedToken.sol constructor !If these variable get configured with address zero, failure to immediately reset the value can result in unexpected behavior for the project.
file: src/RNSourceBase.sol : constructor(address _authorizedConsumer) { authorizedConsumer = _authorizedConsumer; }
file: src/staking/stakedToken.sol constructor(address _stakedToken, uint256 _depositDeadline, uint256 _lockDuration) { _transferOwnership(msg.sender); stakedToken = IStaking(_stakedToken); rewardsToken = stakedToken.rewardsToken(); depositDeadline = _depositDeadline; lockDuration = _lockDuration; }
buyTickets if the address of frontend and referrer is set manualyfile: src/Lottery.sol function buyTickets( uint128[] calldata drawIds, uint120[] calldata tickets, address frontend, address referrer )
add zero check address to the code above !
The onlyOwner role has a single point of failure and onlyOwner can use critical a few functions. Even if protocol admins/developers are not malicious there is still a chance for Owner keys to be stolen. In such a case, the attacker can cause serious damage to the project
file: src/Staking/stakedToken.sol : function deposit(uint256 amount) external override onlyOwner { // slither-disable-next-line timestamp if (block.timestamp > depositDeadline) { revert DepositPeriodOver(); } depositedBalance += amount; // No need for SafeTransferFrom, only trusted staked token is used. // slither-disable-next-line unchecked-transfer stakedToken.transferFrom(msg.sender, address(this), amount); }
file: src/staking/stakedToken.sol function withdraw(uint256 amount) external override onlyOwner { // slither-disable-next-line timestamp if (block.timestamp > depositDeadline && block.timestamp < depositDeadline + lockDuration) { revert LockPeriodOngoing(); }
Add a time lock to critical functions. Admin-only functions that change critical parameters should emit events and have timelocks.
.mint wonβt check if the recipient is able to receive the NFT. If an incorrect address is passed,
it will result in a silent failure and loss of asset.
file: src/Ticket.sol function mint(address to, uint128 drawId, uint120 combination) internal returns (uint256 ticketId) { ticketId = nextTicketId++; ticketsInfo[ticketId] = TicketInfo(drawId, combination, false); _mint(to, ticketId); }
use _safemint instead of _mint of openzipplin
getReward can be called by everyone and front runningmaybe this function can be front runnig by someone because everyone can call it and cause a frontend running!
file: src/staking/StakedTokenLock.sol function getReward() external override { stakedToken.getReward(); // No need for SafeTransfer, only trusted reward token is used. // slither-disable-next-line unchecked-transfer rewardsToken.transfer(owner(), rewardsToken.balanceOf(address(this))); }
use commit-reveal scheme (https://medium.com/swlh/exploring-commit-reveal-schemes-on-ethereum-c4ff5a777db8) use submarine send (https://libsubmarine.org/)
#0 - thereksfour
2023-03-12T10:24:08Z
2 L 2 NC
#1 - c4-judge
2023-03-12T10:24:12Z
thereksfour marked the issue as grade-b
#2 - c4-sponsor
2023-03-14T11:12:32Z
0xluckydev marked the issue as sponsor disputed
#3 - thereksfour
2023-03-17T13:33:42Z
2L B