Platform: Code4rena
Start Date: 01/08/2023
Pot Size: $91,500 USDC
Total HM: 14
Participants: 80
Period: 6 days
Judge: gzeon
Total Solo HM: 6
Id: 269
League: ETH
Rank: 74/80
Findings: 1
Award: $12.88
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: dd0x7e8
Also found by: Bughunter101, Fulum, Kaysoft, MatricksDeCoder, SanketKogekar, Sathish9098, T1MOH, Udsen, debo, fatherOfBlocks, grearlake, hpsb, j4ld1na, josephdara, parsely, pep7siup, piyushshukla, ravikiranweb3, shirochan
12.8772 USDC - $12.88
https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/helper/V3Proxy.sol#L156 https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/helper/V3Proxy.sol#L192
Unchecked return values from low levels calls using ".call" to send ether can fail when sending ETH. If the result is not checked it implies ETH can be locked in the contract.
V3Proxy.sol line 156 -> payable(msg.sender).call{value: amountOut}(""); - ignores return values V3Proxy.sol line 192 -> payable(msg.sender).call{value: amounts[1]}(""); - ignores return values above all missing check (bool success, bytes memory data) See previous Code4rena Audit Reports Medium Vulnerability
Manual Analysis
It is recommended to check return values for all low level calls. If the low level is used to prevent blocking operations, consider logging failed calls.
(bool success, bytes memory data) = payable(msg.sender).call{value: amountOut}(""); if(!success) { //do something e.g revert etc } // can also further check or do something with returned data
call/delegatecall
#0 - c4-pre-sort
2023-08-09T02:07:03Z
141345 marked the issue as duplicate of #481
#1 - c4-pre-sort
2023-08-09T09:26:03Z
141345 marked the issue as duplicate of #83
#2 - c4-judge
2023-08-20T17:11:23Z
gzeon-c4 marked the issue as satisfactory