Back to ABAIKUNANBAEV's contests

Maia DAO - Ulysses - ABAIKUNANBAEV's results

Harnessing the power of Arbitrum, Ulysses Omnichain specializes in Virtualized Liquidity Management.

General Information

Platform: Code4rena

Start Date: 22/09/2023

Pot Size: $100,000 USDC

Total HM: 15

Participants: 175

Period: 14 days

Judge: alcueca

Total Solo HM: 4

Id: 287

League: ETH

Maia DAO

Findings Distribution

Researcher Performance

Rank: 97/175

Findings: 1

Award: $25.68

QA:
grade-a

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMaia DAO

Findings Information

🌟 Selected for report: MrPotatoMagic

Also found by: 0xAadi, 0xDING99YA, 0xDemon, 0xRstStn, 0xSmartContract, 0xStriker, 0xWaitress, 0xbrett8571, 0xfuje, 0xsagetony, 0xsurena, 33BYTEZZZ, 3docSec, 7ashraf, ABA, ABAIKUNANBAEV, Aamir, Audinarey, Bauchibred, Black_Box_DD, Daniel526, DanielArmstrong, DanielTan_MetaTrust, Dinesh11G, Eurovickk, Franklin, Inspecktor, John, Jorgect, Joshuajee, K42, Kek, Koolex, LokiThe5th, MIQUINHO, Myd, NoTechBG, QiuhaoLi, SanketKogekar, Sathish9098, Sentry, Soul22, SovaSlava, Stormreckson, Tendency, Topmark, Udsen, V1235816, Viktor_Cortess, Viraz, Yanchuan, ZdravkoHr, Zims, albahaca, albertwh1te, alexweb3, alexxander, ast3ros, audityourcontracts, bareli, bin2chen, bronze_pickaxe, c0pp3rscr3w3r, cartlex_, castle_chain, chaduke, debo, ether_sky, gumgumzum, imare, its_basu, jaraxxus, jasonxiale, josephdara, kodyvim, ladboy233, lanrebayode77, lsaudit, mert_eren, minhtrng, n1punp, nadin, niroh, nmirchev8, orion, peakbolt, perseverancesuccess, pfapostol, ptsanev, rvierdiiev, saneryee, shaflow2, te_aut, terrancrypt, twcctop, unsafesol, ustas, versiyonbir, windhustler, yongskiws, zhaojie, ziyou-

Awards

25.6785 USDC - $25.68

Labels

bug
downgraded by judge
grade-a
QA (Quality Assurance)
sufficient quality report
duplicate-408
Q-100

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.sol#L124 https://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.sol#L134

Vulnerability details

Impact

In VirtualAccount.sol, there are onERC1155Received() and onERC1155BatchReceived() callbacks but there is no any function to withdraw ERC1155 tokens as opposing to ERC20 and ERC721.

Proof of Concept

  1. Let's say a user deposits ERC1155 token into his VirtualAccount and onERC1155Received() callback is activated.

  2. After some time, he wants to withdraw the tokens back but there is no such function in the contract, only for ERC20 and ERC721 (and also native ETH):

https://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.solhttps://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.sol#L51-63

Tools Used

Manual review.

Implement withdrawERC1155() functionality.

Assessed type

Token-Transfer

#0 - c4-pre-sort

2023-10-09T07:03:42Z

0xA5DF marked the issue as duplicate of #408

#1 - c4-pre-sort

2023-10-09T10:45:57Z

0xA5DF marked the issue as sufficient quality report

#2 - c4-judge

2023-10-24T14:25:54Z

alcueca changed the severity to QA (Quality Assurance)

#3 - c4-judge

2023-10-24T14:26:57Z

alcueca marked the issue as grade-a

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter