Platform: Code4rena
Start Date: 20/09/2022
Pot Size: $100,000 USDC
Total HM: 4
Participants: 109
Period: 7 days
Judge: GalloDaSballo
Id: 163
League: ETH
Rank: 29/109
Findings: 1
Award: $696.90
π Selected for report: 0
π Solo Findings: 0
π Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xNazgul, 0xRobocop, 0xSmartContract, 0xdeadbeef, 0xsanson, 8olidity, Amithuddar, Aymen0909, B2, B353N, CertoraInc, Ch_301, Chom, CodingNameKiki, Deivitto, ElKu, Funen, JC, JohnnyTime, Kresh, Lambda, Noah3o6, RaymondFam, ReyAdmirado, RockingMiles, Rolezn, Sm4rty, SuldaanBeegsi, Tadashi, TomJ, Tomio, V_B, Waze, __141345__, a12jmx, ak1, arcoun, asutorufos, aviggiano, berndartmueller, bharg4v, bin2chen, brgltd, bulej93, c3phas, catchup, cccz, ch0bu, cryptonue, cryptphi, csanuragjain, delfin454000, devtooligan, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, ignacio, joestakey, ladboy233, lukris02, m9800, malinariy, martin, minhtrng, obront, oyc_109, pedr02b2, pedroais, pfapostol, philogy, prasantgupta52, rbserver, ronnyx2017, rotcivegaf, rvierdiiev, sach1r0, shung, simon135, throttle, tnevler, tonisives, wagmi, yixxas, zkhorse, zzykxx, zzzitron
696.8956 USDC - $696.90
emissionMultiple without revealing itThe user can mintFromGoo() and invoke requestRandomSeed() with toBeRevealed == 1. Now he can check emissionMultiple without invoking revealGobblers().
If he doesn't like the result of the emissionMultiple
he can sell these Gobblers without revealing it
File: /src/ArtGobblers.sol function transferFrom( address from, address to, uint256 id ) public override {
https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L880-L917
Add check is it revealed or not before transfer() the Gobblers to a new address
allowance mapping can not mintFromGoo()If someone has an amount on allowance list he canβt use it
So he needs to transfer it first to his balance and then he can invoke mintFromGoo() or addGoo()
File: /src/ArtGobblers.sol function addGoo(uint256 gooAmount) external { // Burn goo being added to gobbler. goo.burnForGobblers(msg.sender, gooAmount); // Increase msg.sender's virtual goo balance. updateUserGooBalance(msg.sender, gooAmount, GooBalanceUpdateType.INCREASE); }
https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L770-L776 https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/Pages.sol#L195-L213 https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L368-L390
isApprovedForAll() and getApproved()File: /src/ArtGobblers.sol if (owner != msg.sender) revert OwnerMismatch(owner);
https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L733 https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L437
if(owner != msg.sender || !isApprovedForAll(owner, msg.sender) || getApproved(tokenId) != msg.sender) revert OwnerMismatch(owner);
And for mintLegendaryGobbler()
require(owner == msg.sender || isApprovedForAll(owner, msg.sender) || getApproved(Id) == msg.sender,'WRONG_FROM');
safeTransferFrom() rather than transferFrom()The transaction can fail and getCopiesOfArtGobbledByGobbler will keep the value on it
File: /src/ArtGobblers.sol : ERC721(nft).transferFrom(msg.sender, address(this), id);
https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L748
#0 - GalloDaSballo
2022-10-06T18:20:27Z
Disputed as the user can chose not to reveal but their outcome is already determined and no way of altering it was shown
R
R
L
1L 2R