Back to Meta0xNull's contests

JPEG'd contest - Meta0xNull's results

Bridging the gap between DeFi and NFTs.

General Information

Platform: Code4rena

Start Date: 07/04/2022

Pot Size: $100,000 USDC

Total HM: 20

Participants: 62

Period: 7 days

Judge: LSDan

Total Solo HM: 11

Id: 107

League: ETH

JPEG'd

Findings Distribution

Researcher Performance

Rank: 22/62

Findings: 2

Award: $552.00

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryJPEG'd

Findings Information

🌟 Selected for report: hickuphh3

Also found by: 0x1f8b, AuditsAreUS, Foundation, Kthere, Meta0xNull, WatchPug, rayn

Labels

bug
duplicate
3 (High Risk)

Awards

471.3531 USDC - $471.35

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/lock/JPEGLock.sol#L44-L62

Vulnerability details

Impact

  1. Alice Request DAO to Call setNFTTypeValueETH() and DAO Approved it
  2. Alice Call finalizePendingNFTValueETH() and External Function jpegLocker.lockFor was Called.
  3. In JPEGLock.sol, Alice Transfer _lockAmount = 1000 of JPEGS into the Contract and info was saved in storage as lockAmount.
jpeg.safeTransferFrom(_account, address(this), _lockAmount);
positions[_nftIndex] = LockPosition({
            owner: _account,
            unlockAt: block.timestamp + lockTime,
            lockAmount: _lockAmount
        });
  1. Alice Repeat Step 1 to 3 again and Transfer _lockAmount = 500 second time. It overwrite previous lockAmount = 1000 and now lockAmount = 500.
  2. Once the lock period ended, Alice Call unlock() and Expecting 1500 JPEGS will Transfer to her wallet but Only Receive 500 JPEGS.

The first 1000 JPEGS Alice Transfer will be Permanently Lock into Contract.

Proof of Concept

https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/vaults/NFTVault.sol#L360-L375 https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/lock/JPEGLock.sol#L44-L62 https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/lock/JPEGLock.sol#L68-L77

  1. Check if the _nftIndex got any LockPosition.
  2. If Yes, should add New _lockAmount into Existing lockAmount rather than overwrite it.

#0 - spaghettieth

2022-04-11T17:19:48Z

Duplicate of #10

Findings Information

🌟 Selected for report: Dravee

Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xkatana, Cityscape, Cr4ckM3, FSchmoede, Foundation, Funen, Hawkeye, IllIllI, JMukesh, Meta0xNull, PPrieditis, Picodes, TerrierLover, Tomio, WatchPug, berndartmueller, catchup, delfin454000, dirk_y, ellahi, hickuphh3, ilan, kebabsec, kenta, nahnah, rayn, rfa, robee, rokinot, saian, securerodd, slywaters, sorrynotsorry

Awards

80.65 USDC - $80.65

Labels

bug
G (Gas Optimization)
sponsor acknowledged

External Links

Link to GitHub issue

1) Long Revert Strings are Waste of Gas

Impact

Shortening revert strings to fit in 32 bytes will decrease deployment time gas and will decrease runtime gas when the revert condition has been met.

Revert strings that are longer than 32 bytes require at least one additional mstore, along with additional overhead for computing memory offset, etc.

Proof of Concept

https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/vaults/NFTVault.sol#L394 https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/tokens/StableCoin.sol#L41 https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/tokens/StableCoin.sol#L69

Shorten the revert strings to fit in 32 bytes.

Or consider using Custom Errors (solc >=0.8.4).

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter