Platform: Code4rena
Start Date: 02/08/2022
Pot Size: $50,000 USDC
Total HM: 12
Participants: 69
Period: 5 days
Judge: gzeon
Total Solo HM: 5
Id: 150
League: ETH
Rank: 17/69
Findings: 2
Award: $683.42
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: peritoflores
Also found by: 8olidity, vlad_bochok
https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/libraries/BoringBatchable.sol#L36
Detect the use of delegatecall inside a loop in a payable function.
contracts\libraries\BoringBatchable.sol: 36 function batch(bytes[] calldata calls, bool revertOnFail) external payable { 37: for (uint256 i = 0; i < calls.length; i++) { 38 (bool success, bytes memory result) = address(this).delegatecall(calls[i]);
When calling bad the same msg.value amount will be accredited multiple times.
vscode
Carefully check that the function called by delegatecall is not payable/doesn't use msg.value.
#0 - horsefacts
2022-08-08T23:25:04Z
#1 - RayXpub
2022-08-10T13:14:47Z
Duplicate of #153
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0xDjango, 0xNazgul, 0xc0ffEE, 8olidity, Bnke0x0, Chom, CodingNameKiki, Deivitto, Dravee, Funen, JC, JohnSmith, NoamYakov, ReyAdmirado, Rohan16, Rolezn, Sm4rty, SooYa, TomFrenchBlockchain, TomJ, Waze, __141345__, ajtra, ak1, aysha, bin2chen, bobirichman, brgltd, bulej93, c3phas, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, horsefacts, hyh, ladboy233, mics, natzuu, nxrblsrpr, oyc_109, rbserver, samruna, sikorico, simon135, tofunmi, wagmi
67.5073 USDC - $67.51
https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxy.sol#L133
The lack of a contract existence check when executing transactions in MIMOProxy might lead to incorrectly assuming that external code was executed.
contracts\proxy\MIMOProxy.sol: 132 for (uint256 i = 0; i < targets.length; i++) { 133: (bool success, bytes memory response) = targets[i].call(data[i]); 134 if (!success) {
poc
describe("--- MIMOMulticall Integration Tests ---", () => { it("should be able to deposit", async () => { const { mimoProxy, wmatic, vaultsCore, vaultsDataProvider, owner } = await setup(); const result = await mimoProxy.multicall( [wmatic.address, wmatic.address, vaultsCore.address,'0xxxxxx'],// [ wmatic.interface.encodeFunctionData("transferFrom", [owner.address, mimoProxy.address, DEPOSIT_AMOUNT]), wmatic.interface.encodeFunctionData("approve", [vaultsCore.address, DEPOSIT_AMOUNT]), vaultsCore.interface.encodeFunctionData("deposit", [wmatic.address, DEPOSIT_AMOUNT]), wmatic.interface.encodeFunctionData("approve", ['0xxxxx', DEPOSIT_AMOUNT]), ], ); console.log(result);
The function does not check for token code existence. The Solidity documentation warns:
The low-level call, delegatecall and callcode will return success if the called account is non-existent, as part of the design of EVM. Existence must be checked prior to calling if desired.
vscode
#0 - RayXpub
2022-08-10T13:16:03Z
Duplicate of #41