Platform: Code4rena
Start Date: 07/07/2022
Pot Size: $75,000 USDC
Total HM: 32
Participants: 141
Period: 7 days
Judge: HardlyDifficult
Total Solo HM: 4
Id: 144
League: ETH
Rank: 79/141
Findings: 2
Award: $99.43
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: xiaoming90
Also found by: 0x1f8b, 0x29A, 0x52, 0xA5DF, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xsanson, 0xsolstars, 242, 8olidity, Amithuddar, Aymen0909, Bnke0x0, BowTiedWardens, David_, Deivitto, ElKu, Funen, Hawkeye, IllIllI, JC, Kaiziron, Keen_Sheen, Kthere, Kulk0, Kumpa, Lambda, MEP, ReyAdmirado, Rohan16, Ruhum, Sm4rty, TomJ, Tomio, Treasure-Seeker, TrungOre, Tutturu, Viksaa39, Waze, _Adam, __141345__, ak1, apostle0x01, asutorufos, async, ayeslick, aysha, bbrho, benbaessler, berndartmueller, c3phas, cccz, chatch, cloudjunky, codexploder, cryptphi, delfin454000, dipp, durianSausage, dy, exd0tpy, fatherOfBlocks, hake, hansfriese, horsefacts, hubble, joestakey, jonatascm, kebabsec, kenzo, kyteg, mektigboy, neumo, oyc_109, pashov, pedr02b2, peritoflores, rajatbeladiya, rbserver, robee, rokinot, s3cunda, sach1r0, sahar, sashik_eth, scaraven, shenwilly, simon135, sorrynotsorry, sseefried, svskaushik, unforgiven, z3s, zzzitron
61.9564 USDC - $61.96
Consider the following case where Alice owns 2 erc1155s (the total supply).
Bob has no way of obtaining tokens since he does not own any. The test case below demonstrates the scenario.
function testEndSuccessfull2() public { // total_supply = 10000 // half_supply = 5000 // set up vault with alice owning 2 // transfer from alice to bob 1 erc1155 initializeBuyout(alice, bob, 2, 1, true); // bob trying to buy out Alice bob.buyoutModule.start{value: 1 wei}(vault); alice.buyoutModule.buyFractions{value: 1 wei}(vault, 1); alice.buyoutModule.sellFractions(vault, 2); assertEq(getETHBalance(alice.addr), 100 ether + 1 wei); vm.warp(rejectionPeriod + 1); assertEq(getFractionBalance(bob.addr), 0); assertEq(getFractionBalance(buyout), 2); bob.buyoutModule.end(vault, burnProof); assertEq(getETHBalance(buyout), 0 ether); assertEq(getETHBalance(bob.addr), 100 ether); assertEq(getFractionBalance(bob.addr), 0); assertEq(getFractionBalance(buyout), 0); }
Prevent a user from selling owned fractions into the buyout pool if user owns > 50% of the total supply.
Spelling Errors: Succesful -> Successful
I believe this is in other files as well.
https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/test/Buyout.t.sol#L320 https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/test/Buyout.t.sol#L336
When transferring ownership to an account, there is no validation done on the account that it is being transferred to. Could validate a 0 address check here to be safer.
🌟 Selected for report: joestakey
Also found by: 0x1f8b, 0x29A, 0xA5DF, 0xKitsune, 0xNazgul, 0xNineDec, 0xalpharush, 0xkatana, 0xsanson, 0xsolstars, 8olidity, Avci, Bnke0x0, BowTiedWardens, Chom, Deivitto, ElKu, Fitraldys, Funen, IllIllI, JC, Kaiziron, Lambda, Limbooo, MEP, NoamYakov, PwnedNoMore, RedOneN, ReyAdmirado, Rohan16, Ruhum, Saintcode_, Sm4rty, TomJ, Tomio, TrungOre, Tutturu, Waze, _Adam, __141345__, ajtra, apostle0x01, asutorufos, benbaessler, brgltd, c3phas, codexploder, cryptphi, delfin454000, dharma09, djxploit, durianSausage, fatherOfBlocks, giovannidisiena, gogo, horsefacts, hrishibhat, hyh, ignacio, jocxyen, jonatascm, karanctf, kebabsec, kyteg, m_Rassska, mektigboy, oyc_109, pedr02b2, rbserver, robee, rokinot, sach1r0, sashik_eth, simon135, slywaters
37.4666 USDC - $37.47
Add check for 0 amount in buy and sell fractions to avoid executing unnecessary logic. For example:
if (_amount) == 0) revert ZeroAmount();
could add the above in the right before the line in the below snippets.