Platform: Code4rena
Start Date: 13/12/2022
Pot Size: $36,500 USDC
Total HM: 5
Participants: 77
Period: 3 days
Judge: gzeon
Total Solo HM: 1
Id: 191
League: ETH
Rank: 18/77
Findings: 2
Award: $129.49
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Soosh
Also found by: 9svR6w, Apocalypto, Ch_301, HE1M, Koolex, SmartSek, Titi, Trust, Zarf, bin2chen, btk, carrotsmuggler, csanuragjain, dic0de, dipp, gz627, hansfriese, hihen, imare, immeas, indijanc, jadezti, kuldeep, ladboy233, maks, neumo, obront, rvierdiiev, sces60107, sk8erboy
19.2206 USDC - $19.22
https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDraw.sol#L83-L88 https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDraw.sol#L159 https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDraw.sol#L314-L317
Settings variable drawBufferTime represents the buffer time that forbids owner to trigger redraw and thus allows winner to claim the reward NFT via winnerClaimNFT function. There is also another recoverTimelock settings variable that defines time when the owner can reclaim the reward NFT via lastResortTimelockOwnerClaimNFT. The issue is that drawBufferTime and recoverTimelock are not correctly checked which leads to situation that both triggering winnerClaimNFT and lastResortTimelockOwnerClaimNFT is possible.
Example 1:
drawBufferTime 1 monthrecoverTimeLock 1 weekstartDraw() is called by the owner
drawTimeLock is set to the next monthrecoverTimeLock is always set to 1 weekThe issue is also present in case there are multiple redraws (via redraw function) that lead to expiration of recoverTimeLock which allows owner to trigger lastResortTimelockOwnerClaimNFT function.
It is recommended to set drawBufferTime and recoverTimeLock to values that will hold relationship recoverTimeLock = block.timestamp + drawBufferTime + X. In addition value of recoverTimeLock should be set properly in every _requestRoll function execution. Disallow owner to withdraw the NFT before the drawTimelock is expired.
#0 - c4-judge
2022-12-17T16:09:24Z
gzeon-c4 marked the issue as duplicate of #146
#1 - c4-judge
2023-01-23T16:53:11Z
gzeon-c4 marked the issue as satisfactory
#2 - c4-judge
2023-01-23T17:09:34Z
gzeon-c4 changed the severity to 3 (High Risk)
🌟 Selected for report: Trust
Also found by: Apocalypto, Madalad, Matin, aga7hokakological, evan, kaliberpoziomka8552, mookimgo, poirots, subtle77, wagmi, yixxas
110.2711 USDC - $110.27
Immutable variable MONTH_IN_SECONDS is assigned with incorrect value. It is expected to represent 30 days but it is set to 30 weeks:
uint256 immutable MONTH_IN_SECONDS = (3600 * 24 * 7) * 30;
VRFNFTRandomDraw.sol:
Manual Review
It is recommended to assign correct value of 30 days to MONTH_IN_SECONDS variable:
uint256 immutable MONTH_IN_SECONDS = (3600 * 24) * 30;
#0 - c4-judge
2022-12-17T12:53:28Z
gzeon-c4 marked the issue as duplicate of #273
#1 - c4-judge
2022-12-17T12:53:56Z
gzeon-c4 marked the issue as satisfactory