Reality Cards contest - JMukesh's results

The world's first 'outcome ownership' prediction market.

General Information

Platform: Code4rena

Start Date: 10/06/2021

Pot Size: $45,000 USDC

Total HM: 21

Participants: 12

Period: 7 days

Judge: LSDan

Total Solo HM: 13

Id: 13

League: ETH

Reality Cards

Findings Distribution

Researcher Performance

Rank: 10/12

Findings: 3

Award: $395.58

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Reality Cards

Findings Information

🌟 Selected for report: axic

Also found by: JMukesh, a_delamo, cmichel, gpersoon, pauliax, s1m0, shw

Labels

bug

duplicate

3 (High Risk)

Awards

259.5075 USDC - $259.51

External Links

Link to GitHub issue

Handle

JMukesh

Vulnerability details

Impact

It is usually good to add a require-statement that checks the return value or to use something like safeTransfer; unless one is sure the given token reverts in case of a failure

Proof of Concept

https://consensys.net/diligence/audits/2021/01/fei-protocol/#unchecked-return-value-for-iweth-transfer-call

In RcTreasury.sol

https://github.com/code-423n4/2021-06-realitycards/blob/main/contracts/RCTreasury.sol#L298

https://github.com/code-423n4/2021-06-realitycards/blob/main/contracts/RCTreasury.sol#L350

Tools Used

manual review

Recommended Mitigation Steps

Consider adding a require-statement or using safeTransfer()

#0 - Splidge
2021-06-15T14:52:39Z

Duplicate of #2

#1 - dmvt
2021-07-11T12:37:48Z

duplicate of #2

Findings Information

🌟 Selected for report: 0xRajeev

Also found by: JMukesh, cmichel, jvaqa

Labels

bug

duplicate

1 (Low Risk)

sponsor confirmed

Awards

79.1061 USDC - $79.11

External Links

Link to GitHub issue

Handle

JMukesh

Vulnerability details

Impact

assert() is used for internal error checking and require() is used to check on input condition, but here assert() is used for input checking

Proof of Concept

https://docs.soliditylang.org/en/v0.8.5/control-structures.html#panic-via-assert-and-error-via-require

https://github.com/code-423n4/2021-06-realitycards/blob/main/contracts/RCMarket.sol#L202

Tools Used

manual review

Recommended Mitigation Steps

use require

#0 - Splidge
2021-06-16T09:49:50Z

This could be considered a duplicate of #44

#1 - Splidge
2021-06-17T11:30:59Z

Duplicate of #155

#2 - dmvt
2021-07-11T10:26:02Z

duplicate of #83

Findings Information

🌟 Selected for report: JMukesh

Also found by: 0xRajeev, a_delamo, cmichel, maplesyrup

Labels

bug

1 (Low Risk)

sponsor confirmed

resolved

Awards

56.9564 USDC - $56.96

External Links

Link to GitHub issue

Handle

JMukesh

Vulnerability details

Impact

constructor of RCorderbook.sol lacks zero address validation , since parameter of costructor are used initialize state variable which are used in other function of the contract , error in these state variable can lead to redeployment of contract

Proof of Concept

https://github.com/code-423n4/2021-06-realitycards/blob/main/contracts/RCOrderbook.sol#L106

Tools Used

manual review

Recommended Mitigation Steps

add require condition to check for zero address

#0 - Splidge
2021-06-16T08:01:13Z

I think the zero address validation isn't a problem for factoryAddress as this can be set later in the function setFactoryAddress However yes Treasury is missing a possible setTreasuryAddress

#1 - Splidge
2021-06-21T10:18:25Z

implemented here

#2 - Splidge
2021-06-21T10:41:14Z

Additional changes for #142 and #115 are here

Findings Information

🌟 Selected for report: gpersoon

Also found by: JMukesh, heiho1

Labels

bug

duplicate

G (Gas Optimization)

Awards

0 USDC - $0.00

External Links

Link to GitHub issue

Handle

JMukesh

Vulnerability details

Impact

address public _realitioAddress, this state variable was unused throughout the contract in RCmarket.sol

Proof of Concept

https://github.com/code-423n4/2021-06-realitycards/blob/main/contracts/RCMarket.sol#L122

Tools Used

manual review

Recommended Mitigation Steps

remove the state variable which are unused

#0 - Splidge
2021-06-16T07:57:00Z

Duplicate of #7

Reality Cards contest - JMukesh's results

The world's first 'outcome ownership' prediction market.

General Information

Findings Distribution

Researcher Performance

External Links

[H-01] Unused return value from erc20.transfer()/ erc20.transferFrom() - $259.51

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Splidge2021-06-15T14:52:39Z

#1 - dmvt2021-07-11T12:37:48Z

QA Report - $136.07

[L-01] Use of assert() instead of require() for input validation in RCmarket.sol - $79.11

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Splidge2021-06-16T09:49:50Z

#1 - Splidge2021-06-17T11:30:59Z

#2 - dmvt2021-07-11T10:26:02Z

🌟 [L-02] Lack of zero address validation - $56.96

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Splidge2021-06-16T08:01:13Z

#1 - Splidge2021-06-21T10:18:25Z

#2 - Splidge2021-06-21T10:41:14Z

Gas Report - $0.00

[G-02] Unused State variable in RcMarket.sol - $0.00

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Splidge2021-06-16T07:57:00Z

#0 - Splidge
2021-06-15T14:52:39Z

#1 - dmvt
2021-07-11T12:37:48Z

#0 - Splidge
2021-06-16T09:49:50Z

#1 - Splidge
2021-06-17T11:30:59Z

#2 - dmvt
2021-07-11T10:26:02Z

#0 - Splidge
2021-06-16T08:01:13Z

#1 - Splidge
2021-06-21T10:18:25Z

#2 - Splidge
2021-06-21T10:41:14Z

#0 - Splidge
2021-06-16T07:57:00Z