Back to 0xpiglet's contests

Golom contest - 0xpiglet's results

An NFT marketplace that offers the lowest industry fee, a publicly available order-book along with analytical tools.

General Information

Platform: Code4rena

Start Date: 26/07/2022

Pot Size: $75,000 USDC

Total HM: 29

Participants: 179

Period: 6 days

Judge: LSDan

Total Solo HM: 6

Id: 148

League: ETH

Golom

Findings Distribution

Researcher Performance

Rank: 16/179

Findings: 3

Award: $766.68

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryGolom

Findings Information

🌟 Selected for report: Lambda

Also found by: 0x52, 0xA5DF, 0xDjango, 0xpiglet, 0xsanson, Bahurum, GalloDaSballo, GimelSec, GiveMeTestEther, Green, MEP, Twpony, arcoun, berndartmueller, cccz, dipp, kenzo, kyteg, neumo, obront, panprog, rajatbeladiya, scaraven

Awards

26.7695 USDC - $26.77

Labels

bug
duplicate
3 (High Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/vote-escrow/VoteEscrowDelegation.sol#L71

Vulnerability details

Impact

An attacker can delegate multiple times, for each delegation adding extra voting power. Meaning that he can delegate to himself 100 times to have 100x voting power. This allows the attacker to easily force any proposal, as he can have more votes than the Ve total supply.

Proof of Concept

https://gist.github.com/0xpiglet/d194ebead29d1e5bb27ebe1bf2d9e2fb

Tools Used

When delegating, it should clear the old delegation before delegating the power to someone else.

#0 - KenzoAgada

2022-08-02T12:00:23Z

Duplicate of #169

Findings Information

🌟 Selected for report: async

Also found by: 0xpiglet, 0xsanson, DimitarDimitrov, Dravee, ElKu, IllIllI, JohnSmith, ak1, kenzo, scaraven

Labels

bug
duplicate
3 (High Risk)

Awards

189.5656 USDC - $189.57

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/vote-escrow/VoteEscrowDelegation.sol#L94

Vulnerability details

Impact

The impact is twofold:

  • When the first checkpoint for any tokenId is to be written, it will underflow when trying to fetch oldCheckpoint as nCheckpoints - 1 == -1. This means that the delegation flow is completely broken, and cannot be used.
  • When a checkpoint have already been written in the same block, the in-memory value oldCheckpoint is updated, but the storage is never rewritten, making the call have no effect.

Proof of Concept

https://gist.github.com/0xpiglet/2badc8fb9dd0b610416852f8c1f81ee2

Error: VM Exception while processing transaction: reverted with panic code 0x11 (Arithmetic operation underflowed or overflowed outside of an unchecked block)

Tools Used

To mitigate the underflow. Only fetch the old checkpoint if one exists, e.g., when nCheckpoints > 0. To update storage, replace the delegatedTokenIds inplace.

#0 - KenzoAgada

2022-08-02T08:14:07Z

The same-block update issue is Duplicate of #455 The underflow issue will need to be deduped later

#1 - zeroexdead

2022-08-28T16:58:22Z

The underflow issue is duplicate of #673

#2 - dmvt

2022-10-18T13:19:54Z

Duplicate of #455

Findings Information

🌟 Selected for report: kenzo

Also found by: 0xA5DF, 0xpiglet, 0xsanson, Bahurum, IllIllI, arcoun

Labels

bug
duplicate
3 (High Risk)

Awards

550.3388 USDC - $550.34

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/vote-escrow/VoteEscrowDelegation.sol#L71

Vulnerability details

Impact

An attacker can increase voting power at time t-1 (in the past). The delegate function pushes tokenId to the old checkpoint (in storage) before creating a new checkpoint. This means that the power of both checkpoints is altered, not only the new one. Can be used to increase voting power when voting on current proposals (not only future). See example below for increasing power in the past.

Proof of Concept

https://gist.github.com/0xpiglet/c88ce8e7d061e848469dd5753d868f33

Voting power tokenId 1 at 12: 999398909064507120
Voting power tokenId 1 at 11: 999398916991955115
tokenId 2 delegating to 1
Voting power tokenId 1 at 13: 1998797802274118250
Voting power tokenId 1 at 11: 1998797833983910230

Tools Used

Pass the tokenId to _writeCheckpoint and only append it to the new/updated checkpoint.

#0 - KenzoAgada

2022-08-02T07:55:51Z

Duplicate of #81

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter