Platform: Code4rena
Start Date: 01/08/2022
Pot Size: $50,000 USDC
Total HM: 26
Participants: 133
Period: 5 days
Judge: Jack the Pug
Total Solo HM: 6
Id: 151
League: ETH
Rank: 27/133
Findings: 3
Award: $301.19
🌟 Selected for report: 0
🚀 Solo Findings: 0
165.6336 USDC - $165.63
A builder can, after it convened with the lender and an external agent to reduce his debt through escrow(), reuse the signature and pass it again to escrow() many times. This allows him to reduce his debt more than expected, leaving the lender at a loss.
Function Community.escrow() lacks signature replay protection. Once it has been called once successfully, the builder of a project can call it many times with the same _data and _signature and each time his debt will be reduced by _repayAmount.
It is suggested to include a nonce into the signed data and checking it with the current nonce (as done elsewhere in the code) to avoid signature replays.
#0 - horsefacts
2022-08-06T20:28:47Z
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L386 https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L330
If there has been more than a change in a task's cost through mulitple calls to changeOrder(), signatures previously passed can be replayed by one party to change the price payed for the task without consent of the other parties by frontrunning call to setComplete().
A task's cost can be changed multiple times during negotiations between builder/contractor and subcontractor by calling changeOrder(). Let's say it is changed two times before setComplete() is finally called and the subcontractor is payed. If for example the second change sets a cost which is smaller than the first change, then the subcontractor can replay the first change by frontrunning setComplete(), changing the order cost just before payment and managing to be payed more than expected.
It is suggested to include a nonce into the signed data and comparing it with the current nonce (as done elsewhere in the code) to avoid signature replays.
#0 - parv3213
2022-08-11T13:25:41Z
Duplicate of #339
🌟 Selected for report: Lambda
Also found by: 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xNineDec, 0xSmartContract, 0xSolus, 0xf15ers, 0xkatana, 0xsolstars, 8olidity, Aymen0909, Bahurum, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Extropy, Funen, GalloDaSballo, Guardian, IllIllI, JC, Jujic, MEP, Noah3o6, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, SooYa, Soosh, Throne6g, TomJ, Tomio, TrungOre, Waze, Yiko, _Adam, __141345__, a12jmx, ajtra, ak1, arcoun, asutorufos, ayeslick, benbaessler, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, byndooa, c3phas, codexploder, cryptonue, cryptphi, defsec, delfin454000, dipp, djxploit, erictee, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, horsefacts, hyh, ignacio, indijanc, joestakey, kaden, mics, minhquanym, neumo, obront, oyc_109, p_crypt0, pfapostol, poirots, rbserver, robee, rokinot, rotcivegaf, sach1r0, saian, samruna, saneryee, scaraven, sikorico, simon135, sseefried, supernova
40.692 USDC - $40.69
noChange():In HomeFi.sol#L82 noChange modifier name is not coherent with previous modifier names, that say what is allowed (onlyAdmin and nonZero). According to the same logic, one should use mustChange.
noChange():In HomeFi.sol#L191 replace the check by the corresponding modifier noChange().
In HomeFi.sol#L296 internal function mintNFT() with unused return.
internal function _msgData() is never used (HomeFi.sol#L314 , Community.sol#L910)
redundant casting of uint256 to uint256 at Project.sol#L200
HomeFiProxy.sol#L32: comment
/// @dev mapping that maps contract initials with there implementation address
is confusing since the mapping points to the proxies and not the implementation addresses.
Same imprecision exists in natspec comment at HomeFiProxy.sol#L172.
In HomeFiProxy.sol#L150 owner of proxyAdmin is changed through a single step procedure. This is a critical system parameter and it is recommended to implement a two-step change.