Platform: Code4rena
Start Date: 28/11/2022
Pot Size: $192,500 USDC
Total HM: 33
Participants: 106
Period: 11 days
Judge: LSDan
Total Solo HM: 15
Id: 186
League: ETH
Rank: 40/106
Findings: 1
Award: $342.95
🌟 Selected for report: 0
🚀 Solo Findings: 0
342.9511 USDC - $342.95
In order to supply a PUNK, PUNK owner has to offer their PUNK for sale to the WPunkGateway with 0ETH and then call supplyPunk. during this time, anyone can call supplyPunk which will supply the PUNK to ParaSpace as collateral for the exploiter.
1- PUNK owner calls offerPunkForSale on their PUNK
2- Exploiter front-run the PUNK owner and calls supplyPunk
3- PUNK will be deposited to WPUNK and WPUNK token will be sent to the exploiter at the beginning of the TX.
4- supplyERC721 which will supply the PUNK to ParaSpace as collateral for the exploiter.
Manual review
Add a check to see if the msg.sender is the owner of the punk:
function supplyPunk( DataTypes.ERC721SupplyParams[] calldata punkIndexes, address onBehalfOf, uint16 referralCode ) external nonReentrant { for (uint256 i = 0; i < punkIndexes.length; i++) { require(Punk.punkIndexToAddress(punkIndexes[i].tokenId) == msg.sender); Punk.buyPunk(punkIndexes[i].tokenId); Punk.transferPunk(proxy, punkIndexes[i].tokenId); // gatewayProxy is the sender of this function, not the original gateway WPunk.mint(punkIndexes[i].tokenId); } Pool.supplyERC721( address(WPunk), punkIndexes, onBehalfOf, referralCode ); }
#0 - c4-judge
2022-12-20T18:11:17Z
dmvt marked the issue as duplicate of #71
#1 - c4-judge
2023-01-09T16:50:34Z
dmvt marked the issue as nullified
#2 - c4-judge
2023-01-23T20:02:47Z
dmvt marked the issue as partial-50