Back to Haipls's contests

Open Dollar - Haipls's results

A floating $1.00 pegged stablecoin backed by Liquid Staking Tokens with NFT controlled vaults.

General Information

Platform: Code4rena

Start Date: 18/10/2023

Pot Size: $36,500 USDC

Total HM: 17

Participants: 77

Period: 7 days

Judge: MiloTruck

Total Solo HM: 5

Id: 297

League: ETH

Open Dollar

Findings Distribution

Researcher Performance

Rank: 10/77

Findings: 1

Award: $600.07

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryOpen Dollar

Findings Information

🌟 Selected for report: Haipls

Also found by: kutugu, twcctop

Labels

bug
2 (Med Risk)
low quality report
primary issue
satisfactory
selected for report
M-09

Awards

600.071 USDC - $600.07

External Links

Link to GitHub issue

Lines of code

https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/proxies/Vault721.sol#L140

Vulnerability details

Impact

According to the standard, the tokenURI method must be reverted if a non-existent tokenId is passed. In the Vault721 contract, this point was ignored. What leads to a violation of the EIP721 spec

Proof of Concept

https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/proxies/Vault721.sol#L140-L142

File: contracts/proxies/Vault721.sol

  /**
   * @dev generate URI with updated vault information
   */
  function tokenURI(uint256 _safeId) public view override returns (string memory uri) {
    // @audit should throw if safeId does not exist according to the ERC721-Metadata specification
    uri = nftRenderer.render(_safeId);
  }

The responsibility for checking whether a token exists may be put on the nftRenderer depending on the implementation, and may also be missing, changed or added in the future. But the underlying Vault721 contract that is supposed to comply with the standard does not follow the specification

Similar problem with violation of ERC721 specification: https://github.com/code-423n4/2023-04-caviar-findings/issues/44

Tools Used

Add a token existence check at the Vault721 level, example:

  /**
   * @dev generate URI with updated vault information
   */
  function tokenURI(uint256 _safeId) public view override returns (string memory uri) {
+++ _requireMinted(_safeId);
    uri = nftRenderer.render(_safeId);
  }

Assessed type

ERC721

#0 - c4-pre-sort

2023-10-26T06:00:56Z

raymondfam marked the issue as low quality report

#1 - c4-pre-sort

2023-10-26T06:01:01Z

raymondfam marked the issue as primary issue

#2 - raymondfam

2023-10-26T06:02:30Z

Informational. QA at best.

#3 - MiloTruck

2023-11-01T21:41:41Z

Although the impact is extremely limited, the function does violate the ERC-721 spec as shown here. As such, I agree with Medium Severity.

#4 - c4-judge

2023-11-01T21:41:47Z

MiloTruck marked the issue as satisfactory

#5 - c4-judge

2023-11-02T04:14:22Z

MiloTruck removed the grade

#6 - c4-judge

2023-11-02T04:14:27Z

MiloTruck marked the issue as selected for report

#7 - c4-judge

2023-11-02T08:41:53Z

MiloTruck marked the issue as satisfactory

#8 - pi0neerpat

2023-11-10T07:05:48Z

This is a valid finding and recommendation is accurate.

Although the impact is extremely limited, the function does violate the ERC-721 spec as shown here. As such, I agree with Medium Severity.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter