Platform: Code4rena
Start Date: 26/07/2022
Pot Size: $75,000 USDC
Total HM: 29
Participants: 179
Period: 6 days
Judge: LSDan
Total Solo HM: 6
Id: 148
League: ETH
Rank: 74/179
Findings: 2
Award: $131.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
131.6127 USDC - $131.61
https://github.com/code-423n4/2022-07-golom/blob/main/contracts/rewards/RewardDistributor.sol#L100
ETH sent to the contract are wrapped within the addFee function from RewardDistributor contract. When rewardToken.totalSupply is greater than 1000000000 the function just returns. This will stop wrapping the ETH used to pay rewards using WETH.
This vulnerability will impact these functions within the RewardDistributor contract:
the addFee code is called from GolomTrader contract within fillAsk and _settleBalance.
ref1:
if (rewardToken.totalSupply() > 1000000000 * 10**18) { // if supply is greater then a billion dont mint anything, dont add trades return; }
so whenever the total supply is bigger than 1000000000, the function just returns, this would skip these lines that are used to wrap ETH sent to the contract: ref2
if (previousEpochFee > 0) { if (epoch == 1){ epochTotalFee[0] = address(this).balance; // staking and trading rewards start at epoch 1, for epoch 0 all contract ETH balance is converted to staker rewards rewards. weth.deposit{value: address(this).balance}(); }else{ weth.deposit{value: previousEpochFee}(); } }
in this way all the ETH sent to the contract will be lost forever!
Another unexpected behaviour caused by this bug is within multiStackerClaim function: ref3
weth.transfer(tokenowner, rewardEth); }
This last line will never send weth to tokenowner.
Manual Audit
Keep calling weth.deposit() even if the total supply of reward tokens have reach the ceiling.
#0 - KenzoAgada
2022-08-03T14:20:25Z
Duplicate of #320
🌟 Selected for report: TomJ
Also found by: 0x4non, 0x52, 0xDjango, 0xNazgul, 0xf15ers, 0xsanson, 8olidity, Bnke0x0, CertoraInc, Ch_301, Chom, Dravee, GalloDaSballo, GimelSec, JC, Jujic, Kenshin, Kumpa, Lambda, M0ndoHEHE, PaludoX0, RedOneN, Ruhum, Sm4rty, Treasure-Seeker, TrungOre, Twpony, Waze, _Adam, __141345__, apostle0x01, arcoun, benbaessler, bin2chen, brgltd, cccz, cloudjunky, cryptonue, djxploit, ellahi, erictee, hansfriese, i0001, minhquanym, oyc_109, peritoflores, rbserver, reassor, rokinot, rotcivegaf, saian, shenwilly, sseefried
0.1513 USDC - $0.15
https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L236 https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L301 https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L361
ERC721 standard requires the receiving contract to implement onERC721Received(), this may lead to loss of ERC721 if it doesn't implement it.
if (o.isERC721) { require(amount == 1, 'only 1 erc721 at 1 time'); ERC721(o.collection).transferFrom(o.signer, receiver, o.tokenId); } else {
if (o.isERC721) { require(amount == 1, 'only 1 erc721 at 1 time'); ERC721 nftcontract = ERC721(o.collection); nftcontract.transferFrom(msg.sender, o.signer, o.tokenId); } else {
if (o.isERC721) { require(amount == 1, 'only 1 erc721 at 1 time'); ERC721 nftcontract = ERC721(o.collection); nftcontract.transferFrom(msg.sender, o.signer, tokenId); } else {
Manual Audit
To solve this issue use the safeTransferFrom() function, that checks whether the receiving contract is IERC721Receiver.
#0 - KenzoAgada
2022-08-03T15:20:41Z
Duplicate of #342