Golom contest - Kumpa's results
An NFT marketplace that offers the lowest industry fee, a publicly available order-book along with analytical tools.
General Information
Platform: Code4rena
Start Date: 26/07/2022
Pot Size: $75,000 USDC
Total HM: 29
Participants: 179
Period: 6 days
Judge: LSDan
Total Solo HM: 6
Id: 148
League: ETH
Findings Distribution
Researcher Performance
Rank: 128/179
Findings: 2
Award: $35.32
🌟 Selected for report: 0
🚀 Solo Findings: 0
Findings Information
🌟 Selected for report: TomJ
Also found by: 0x4non, 0x52, 0xDjango, 0xNazgul, 0xf15ers, 0xsanson, 8olidity, Bnke0x0, CertoraInc, Ch_301, Chom, Dravee, GalloDaSballo, GimelSec, JC, Jujic, Kenshin, Kumpa, Lambda, M0ndoHEHE, PaludoX0, RedOneN, Ruhum, Sm4rty, Treasure-Seeker, TrungOre, Twpony, Waze, _Adam, __141345__, apostle0x01, arcoun, benbaessler, bin2chen, brgltd, cccz, cloudjunky, cryptonue, djxploit, ellahi, erictee, hansfriese, i0001, minhquanym, oyc_109, peritoflores, rbserver, reassor, rokinot, rotcivegaf, saian, shenwilly, sseefried
Awards
0.1513 USDC - $0.15
Labels
External Links
Lines of code
https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/core/GolomTrader.sol#L236 https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/core/GolomTrader.sol#L301
Vulnerability details
Openzeppelin has stated that the use of transferFrom is discouraging in its doc (in this link: https://docs.openzeppelin.com/contracts/2.x/api/token/erc721). If erc721 is sent to the contract of receiver that is unable to support it, the token could be locked in that contract. Therefore, it is best to use safeTransferFrom instead of transferFrom for ERC721.
Mitigations
Replace transferFrom with safeTransferFrom for fillAsk fillBid and fillCriteriaBid for greater security
#0 - KenzoAgada
2022-08-03T15:13:27Z
Duplicate of #342
Findings Information
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0x52, 0xA5DF, 0xDjango, 0xLovesleep, 0xNazgul, 0xNineDec, 0xSmartContract, 0xackermann, 0xc0ffEE, 0xf15ers, 0xmatt, 0xsanson, 0xsolstars, 8olidity, AuditsAreUS, Bahurum, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chom, CryptoMartian, Deivitto, DevABDee, Dravee, ElKu, Franfran, Funen, GalloDaSballo, GimelSec, GiveMeTestEther, Green, JC, Jmaxmanblue, JohnSmith, Jujic, Junnon, Kenshin, Krow10, Kumpa, Lambda, MEP, Maxime, MiloTruck, Mohandes, NoamYakov, Picodes, RedOneN, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, Soosh, StErMi, StyxRave, Tadashi, TomJ, Treasure-Seeker, TrungOre, Waze, _Adam, __141345__, ajtra, ak1, apostle0x01, arcoun, asutorufos, async, benbaessler, berndartmueller, bin2chen, brgltd, c3phas, cRat1st0s, carlitox477, chatch, codetilda, codexploder, cryptonue, cryptphi, csanuragjain, cthulhu_cult, delfin454000, dipp, dirk_y, djxploit, ellahi, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, horsefacts, hyh, idkwhatimdoing, indijanc, jayfromthe13th, jayphbee, joestakey, kenzo, kyteg, lucacez, luckypanda, mics, minhquanym, obront, oyc_109, pedr02b2, rajatbeladiya, rbserver, reassor, robee, rokinot, rotcivegaf, sach1r0, saian, saneryee, sashik_eth, scaraven, shenwilly, simon135, sseefried, supernova, teddav, ych18, zuhaibmohd, zzzitron
Awards
35.1687 USDC - $35.17
Labels
External Links
Lines of code
https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/rewards/RewardDistributor.sol#L106 https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/rewards/RewardDistributor.sol#L84
Vulnerability details
The severity of this issue depends on the date of implementing of RewardDistributor.sol.addFee(). If the implementing day is 1659643200 or 5 days from the startTime, 4-days worth of GolomToken for rewardTradercould be gone to a single trader.
Proof of concepts
1.Assuming that RewardDistributor.sol is operating 5 days after startTime which makes the current time to be 1659643200 (1659211200 + (86400*5))
2.A quick trader could then have an opportunity to shift epoch 5 times to monopolize rewardTrader in these 5 epoches by quickly fill the orders 5 times in GolomTrader.sol to trigger addFee (the orders can be implemented by others or by himself)
3.Above conditions will keep passing for 5 times until block.timestamp < startTime + (epoch) * secsInDay and epochTotalFee of previous epoches will be equal to feesTrader for each epoches.
4.A quick trader realizes all his golomToken by calling traderClaim and obtains daily emissions of rewardTrader in the past 4 epoches, amounting to 2,010,000 of golomToken.
Mitigations
Should change startTime to be the same as the day that the contract is deployed
#0 - 0xsaruman
2022-08-19T17:58:30Z
kind of duplicate of https://github.com/code-423n4/2022-07-golom-findings/issues/251
#1 - dmvt
2022-10-14T10:52:34Z
This is not a duplicate of #251. I'm leaving this in play as a QA issue because it will be a problem if the sponsor forgets to set the start time correctly, but the sponsor is aware and cannot accurately set this number until the launch date of the protocol is known. As long as the sponsor correctly sets the start time, this issue does not exist.