Unlock Protocol contest - Jujic's results

Protocol for memberships built on a blockchain, where fans can support their favourite creators by purchasing their NFTs!

General Information

Platform: Code4rena

Start Date: 18/11/2021

Pot Size: $50,000 USDC

Total HM: 18

Participants: 26

Period: 7 days

Judge: leastwood

Total Solo HM: 12

Id: 54

League: ETH

Unlock Protocol

Findings Distribution

Researcher Performance

Rank: 14/26

Findings: 2

Award: $405.50

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Unlock Protocol

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Auditors

Browse

Contests

Browse

Get in touch

Contact Twitter

Findings Information

🌟 Selected for report: WatchPug

Also found by: Jujic, loop, mics, nathaniel

Labels

bug

duplicate

G (Gas Optimization)

Awards

7.0389 USDC - $7.04

External Links

Link to GitHub issue

Handle

Jujic

Vulnerability details

Impact

Proof of Concept

At line: https://github.com/code-423n4/2021-11-unlock/blob/ec41eada1dd116bcccc5603ce342257584bec783/smart-contracts/contracts/Unlock.sol#L211 use external instead of public modifier

Tools Used

Recommended Mitigation Steps

I recommend using external instead of public modifier for createLock function because it is not called internally.

#0 - 0xleastwood
2022-01-17T08:11:54Z

Agree!

#1 - 0xleastwood
2022-01-17T08:50:59Z

Duplicate of #196

Findings Information

🌟 Selected for report: Jujic

Labels

bug

1 (Low Risk)

Awards

398.4587 USDC - $398.46

External Links

Link to GitHub issue

Handle

Jujic

Vulnerability details

Impact

The function initializeProxyAdmin() can be called by anyone the first time which allows an attacker to set the ProxyAdmin of the contract to themselves, leading to a denial of service attack.

Proof of Concept

https://github.com/unlock-protocol/unlock/blob/dda84f298e51ea37af514133e861052f21164b37/smart-contracts/contracts/Unlock.sol#L153

Tools Used

Recommended Mitigation Steps

Add access modifier.

#0 - julien51
2022-01-03T15:11:53Z

If this was front-run we could easily re-deploy anyway?

#1 - 0xleastwood
2022-01-16T11:57:03Z

Agree with warden here. This can cause unintended consequences. It makes sense to call initializeProxyAdmin() from within initialize().

Unlock Protocol contest - Jujic's results

Protocol for memberships built on a blockchain, where fans can support their favourite creators by purchasing their NFTs!

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $398.46

Gas Report - $7.04

QA Report - $398.46

Gas Report - $7.04

[G-24] Possible gas saving - $7.04

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - 0xleastwood2022-01-17T08:11:54Z

#1 - 0xleastwood2022-01-17T08:50:59Z

🚀 [L-14] Setting the admin in initialize initializeProxyAdmin can be frontrun by an attacker - $398.46

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - julien512022-01-03T15:11:53Z

#1 - 0xleastwood2022-01-16T11:57:03Z

#0 - 0xleastwood
2022-01-17T08:11:54Z

#1 - 0xleastwood
2022-01-17T08:50:59Z

#0 - julien51
2022-01-03T15:11:53Z

#1 - 0xleastwood
2022-01-16T11:57:03Z