Reality Cards contest - 0xsanson's results

The world's first 'outcome ownership' prediction market.

General Information

Platform: Code4rena

Start Date: 19/08/2021

Pot Size: $30,000 USDC

Total HM: 5

Participants: 11

Period: 7 days

Judge: 0xean

Total Solo HM: 4

Id: 26

League: ETH

Reality Cards

Findings Distribution

Researcher Performance

Rank: 9/11

Findings: 3

Award: $486.83

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Reality Cards

Findings Information

🌟 Selected for report: leastwood

Also found by: 0xsanson, JMukesh, cmichel, gpersoon, hickuphh3

Labels

bug

duplicate

1 (Low Risk)

Awards

227.1627 USDC - $227.16

External Links

Link to GitHub issue

Handle

0xsanson

Vulnerability details

Impact

Treasury.sol has a mapping marketWhitelist[addr] to check if a certain market has to be restricted.

The issue is that the contract doesn't have a function to change the marketWhitelist values, so every market is always not-restricted. In other words, the following requirement in RCMarket.sol is always satisfied:

// restrict certain markets to specific whitelists
require(
    treasury.marketWhitelistCheck(_user),
    "Not approved for this market"
);

Proof of Concept

https://github.com/code-423n4/2021-08-realitycards/blob/main/contracts/RCMarket.sol#L758-L761

Tools Used

editor

Recommended Mitigation Steps

Add a function where the owner can change marketWhitelist in Treasury.sol.

#0 - Splidge
2021-08-26T08:58:53Z

Duplicate of #18

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Auditors

Browse

Contests

Browse

Get in touch

Contact Twitter

Findings Information

🌟 Selected for report: gpersoon

Also found by: 0xsanson

Labels

bug

duplicate

1 (Low Risk)

Awards

259.6738 USDC - $259.67

External Links

Link to GitHub issue

Handle

0xsanson

Vulnerability details

Impact

In RCMarket.setWinner, the conversion from uint256 to uint32 isn't performed safely.

uint256 _blockTimestamp = uint32(block.timestamp);
require(_blockTimestamp <= type(uint32).max, "Overflow");
marketLockingTime = uint32(_blockTimestamp);

Indeed it checks that _blockTimestamp <= type(uint32).max instead of block.timestamp <= type(uint32).max.

Reference to the correct implementation: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v3.4.0/contracts/utils/SafeCast.sol#L63-L66

Proof of Concept

https://github.com/code-423n4/2021-08-realitycards/blob/main/contracts/RCMarket.sol#L511-L513

Tools Used

editor

Recommended Mitigation Steps

Change to:

require(block.timestamp <= type(uint32).max, "Overflow");
marketLockingTime = uint32(block.timestamp);

#0 - Splidge
2021-08-26T09:41:16Z

Duplicate of #28

Findings Information

🌟 Selected for report: 0xsanson

Labels

bug

G (Gas Optimization)

sponsor confirmed

Resolved

Awards

0 USDC - $0.00

External Links

Link to GitHub issue

Handle

0xsanson

Vulnerability details

Impact

In rcMarket._processRentCollection it's possible to save a SLOAD by rewriting the lines:

uint256 _rentOwed = (card[_card].cardPrice *
    (_timeOfCollection - card[_card].timeLastCollected)) / 1 days;
uint256 _timeHeldToIncrement = (_timeOfCollection -               
    card[_card].timeLastCollected);

into:

uint256 _timeHeldToIncrement = (_timeOfCollection -               
    card[_card].timeLastCollected);
uint256 _rentOwed = (card[_card].cardPrice * _timeHeldToIncrement) / 1 days;

Proof of Concept

https://github.com/code-423n4/2021-08-realitycards/blob/main/contracts/RCMarket.sol#L1060-L1063

Tools Used

editor

Recommended Mitigation Steps

Consider changing the code as illustrated.

#0 - Splidge
2021-09-07T11:05:14Z

Fixed here

Reality Cards contest - 0xsanson's results

The world's first 'outcome ownership' prediction market.

General Information

Findings Distribution

Researcher Performance

External Links

[M-01] whitelist not working as inteded - $227.16

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Splidge2021-08-26T08:58:53Z

QA Report - $259.67

Gas Report - $0.00

QA Report - $259.67

Gas Report - $0.00

[L-10] Wrong safeCast implementation - $259.67

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Splidge2021-08-26T09:41:16Z

🚀 [G-02] gas saving in `_processRentCollection` - $0.00

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Splidge2021-09-07T11:05:14Z

#0 - Splidge
2021-08-26T08:58:53Z

#0 - Splidge
2021-08-26T09:41:16Z

#0 - Splidge
2021-09-07T11:05:14Z