Platform: Code4rena
Start Date: 22/05/2024
Pot Size: $20,000 USDC
Total HM: 6
Participants: 126
Period: 5 days
Judge: 0xsomeone
Total Solo HM: 1
Id: 379
League: ETH
Rank: 7/126
Findings: 2
Award: $450.41
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Circolors
Also found by: 0rpse, 0x175, 0xAadi, 0xHash, 0xMax1mus, 0xMosh, 0xblack_bird, 0xdice91, 0xfox, 0xhacksmithh, 0xloscar01, 0xrex, 4rdiii, Audinarey, AvantGard, Bigsam, DPS, Dots, Drynooo, Dudex_2004, Evo, Kaysoft, King_, Limbooo, MrPotatoMagic, PENGUN, Sabit, SovaSlava, SpicyMeatball, TheFabled, Utsav, Varun_05, Walter, adam-idarrha, araj, aslanbek, ayden, bctester, biakia, bigtone, brgltd, carrotsmuggler, cats, crypticdefense, dd0x7e8, dhank, fandonov, fyamf, grearlake, iamandreiski, ilchovski, jasonxiale, joaovwfreire, lanrebayode77, m4ttm, merlinboii, niser93, nnez, octeezy, oxchsyston, pamprikrumplikas, rouhsamad, tedox, trachev, turvy_fuzz, twcctop, yotov721, zhaojohnson
0.0042 USDC - $0.00
https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L410 https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L278
Users may be attacked and unable to unlock assets.
Anyone can call the lockOnBehalf function to create a lock for someone else. This will extend the lockRecipient lock time. As long as the attacker repeatedly locks a user for a long time, the user will not be able to withdraw his assets. The attacker can set the lock amount to 0/1wei, which makes the attack almost cost-free.
manual
It is recommended to set a minimum number of locks, or only allow migrationManager to call the lockOnBehalf function.
DoS
#0 - c4-judge
2024-06-05T12:59:02Z
alex-ppg marked the issue as partial-75
#1 - Scorpiondeng
2024-06-06T06:53:41Z
The report mentioned the most serious infinite locking problem and also gave corresponding mitigation steps, which can limit calls or set a minimum number of locks to increase the cost of attack. It seems like it deserves all the rewards.
#2 - alex-ppg
2024-06-10T11:17:56Z
Hey @Scorpiondeng, per the C4 documentation any submission must be what would be acceptable in an audit report produced by a reputable firm. I do not believe your submission elaborated sufficiently on the issue and did not properly demonstrate it in this textual form. I advise you to have a look at audit reports by reputable firms and copy the same elaboration style to increase the probability of your submission being accepted for a full reward as partial rewards are a comparative metric.
🌟 Selected for report: PetarTolev
Also found by: Drynooo, MrPotatoMagic, bearonbike, joaovwfreire
450.4146 USDC - $450.41
Users will lose locked funds.
If migrationManager calls the lock function, the logic in the if will not be executed. Therefore, the remainder amount will still be equal to 0, and subsequent updates to the remainder amount and quantity will cause the user to lose the previous amount of remainder. Indicates that the remainder deposited by the user cannot be divisible, and also belongs to the user's assets.
if (msg.sender != address(migrationManager)) { // calculate number of nfts remainder = quantity % configuredToken.nftCost; numberNFTs = (quantity - remainder) / configuredToken.nftCost; if (numberNFTs > type(uint16).max) revert TooManyNFTsError(); // Tell nftOverlord that the player has new unopened Munchables nftOverlord.addReveal(_lockRecipient, uint16(numberNFTs)); }
manual
It is recommended that the remainder variable should be calculated correctly regardless of whether the addReveal function is executed or not.
Other
#0 - c4-judge
2024-06-10T15:09:52Z
alex-ppg marked the issue as partial-50
#1 - c4-judge
2024-06-10T15:10:24Z
alex-ppg changed the severity to 2 (Med Risk)