Back to Kthere's contests

Fractional v2 contest - Kthere's results

A collective ownership platform for NFTs on Ethereum.

General Information

Platform: Code4rena

Start Date: 07/07/2022

Pot Size: $75,000 USDC

Total HM: 32

Participants: 141

Period: 7 days

Judge: HardlyDifficult

Total Solo HM: 4

Id: 144

League: ETH

Fractional

Findings Distribution

Researcher Performance

Rank: 97/141

Findings: 2

Award: $63.34

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFractional

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, Amithuddar, Avci, BowTiedWardens, Kthere, Limbooo, MEP, Ruhum, StyxRave, TomJ, Treasure-Seeker, TrungOre, Tutturu, Waze, bardamu, c3phas, cccz, codexploder, cryptphi, hake, horsefacts, hyh, oyc_109, pashov, peritoflores, scaraven, simon135, slywaters, sseefried, tofunmi, xiaoming90

Awards

1.3977 USDC - $1.40

Labels

bug
duplicate
2 (Med Risk)
old-submission-method

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-fractional/blob/main/src/modules/Migration.sol#L172 https://github.com/code-423n4/2022-07-fractional/blob/main/src/modules/Migration.sol#L325 https://github.com/code-423n4/2022-07-fractional/blob/main/src/utils/SafeSend.sol#L33

Vulnerability details

Impact

Use call() instead of transfer() is recommended to avoid the hard dependency of smart contracts on gas costs.

Proof of Concept

The transfer() function always forwards a constant 2300 gas to the fallback function. This will fail when the gas costs change and make 2300 insufficient for the transfer function.

Replacing transfer() with call() will forward all the available gas for the transfer function to avoid dependency on gas costs. Refer to this article for a better explanation: https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/

Tools Used

Manual Checking

Replace transfer() with call() like follows:

(bool success, ) = msg.sender.call.value(amount)("");
require(success, "Transfer failed.");

#0 - stevennevins

2022-07-19T21:51:59Z

Duplicate of #325

#1 - HardlyDifficult

2022-07-28T15:48:22Z

Duping to #504

Findings Information

🌟 Selected for report: xiaoming90

Also found by: 0x1f8b, 0x29A, 0x52, 0xA5DF, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xsanson, 0xsolstars, 242, 8olidity, Amithuddar, Aymen0909, Bnke0x0, BowTiedWardens, David_, Deivitto, ElKu, Funen, Hawkeye, IllIllI, JC, Kaiziron, Keen_Sheen, Kthere, Kulk0, Kumpa, Lambda, MEP, ReyAdmirado, Rohan16, Ruhum, Sm4rty, TomJ, Tomio, Treasure-Seeker, TrungOre, Tutturu, Viksaa39, Waze, _Adam, __141345__, ak1, apostle0x01, asutorufos, async, ayeslick, aysha, bbrho, benbaessler, berndartmueller, c3phas, cccz, chatch, cloudjunky, codexploder, cryptphi, delfin454000, dipp, durianSausage, dy, exd0tpy, fatherOfBlocks, hake, hansfriese, horsefacts, hubble, joestakey, jonatascm, kebabsec, kenzo, kyteg, mektigboy, neumo, oyc_109, pashov, pedr02b2, peritoflores, rajatbeladiya, rbserver, robee, rokinot, s3cunda, sach1r0, sahar, sashik_eth, scaraven, shenwilly, simon135, sorrynotsorry, sseefried, svskaushik, unforgiven, z3s, zzzitron

Awards

61.9379 USDC - $61.94

Labels

bug
QA (Quality Assurance)
sponsor disputed

External Links

Link to GitHub issue

Check approved addresses before setting new approvals to the same address to avoid excess gas usage

Check the _to != address(0) before transfers and before balance updates to avoid burning tokens and save gas

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter