Platform: Code4rena
Start Date: 18/10/2022
Pot Size: $75,000 USDC
Total HM: 27
Participants: 144
Period: 7 days
Judge: gzeon
Total Solo HM: 13
Id: 170
League: ETH
Rank: 139/144
Findings: 1
Award: $0.00
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Rolezn
Also found by: 0x1f8b, 0x52, 0x5rings, 0xNazgul, 0xSmartContract, 0xZaharina, 0xhunter, 0xzh, 8olidity, Amithuddar, Aymen0909, B2, Bnke0x0, Chom, Deivitto, Diana, Diraco, Dravee, Franfran, JC, Jeiwan, Josiah, JrNet, Jujic, KingNFT, KoKo, Lambda, Margaret, Migue, Ocean_Sky, PaludoX0, Picodes, Rahoz, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Shinchan, Tagir2003, Trust, Waze, Yiko, __141345__, a12jmx, adriro, ajtra, arcoun, aysha, ballx, bin2chen, bobirichman, brgltd, bulej93, catchup, catwhiskeys, caventa, cccz, cdahlheimer, ch0bu, chaduke, chrisdior4, cloudjunky, cryptostellar5, cryptphi, csanuragjain, cylzxje, d3e4, delfin454000, djxploit, durianSausage, erictee, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, hansfriese, i_got_hacked, ignacio, imare, karanctf, kv, leosathya, louhk, lukris02, lyncurion, m_Rassska, malinariy, martin, mcwildy, mics, minhtrng, nicobevi, oyc_109, pashov, peanuts, pedr02b2, peiw, rbserver, ret2basic, rotcivegaf, rvierdiiev, ryshaw, sakman, sakshamguruji, saneryee, securerodd, seyni, sikorico, svskaushik, teawaterwire, tnevler, w0Lfrum
0 USDC - $0.00
There is not correct validation against address(0) for sender parameter at bridgeOut() function.
HolographERC721.sol
Bridge caller to bridgeOut() function can call mentioned function with address(0) for sender parameter. It is because there is a validation which returns true in case of address(0) parameter:
require(_isApproved(sender, tokenId), "ERC721: sender not approved");
modify _isApproved function to revert in case spender parameter is equals to address(0):
`
function _isApproved(address spender, uint256 tokenId) private view returns (bool) {
require(spender != address(0), "Spender cannot be null address"); require(_exists(tokenId), "ERC721: token does not exist"); address tokenOwner = _tokenOwner[tokenId]; return (spender == tokenOwner || _tokenApprovals[tokenId] == spender || _operatorApprovals[tokenOwner][spender]);
}
`
Approve for address(0) is a valid scenario for approve() function.
HolographERC721.sol
It doesn't look to create some mistake in the protocol but I suggest to add this validation to avoid wasting gas.
modify approve function to revert in case to parameter is equals to address(0):
`
function approve(address to, uint256 tokenId) external payable {
require(to != address(0), "spender cannot be null address"); address tokenOwner = _tokenOwner[tokenId]; require(to != tokenOwner, "ERC721: cannot approve self"); require(_isApproved(msg.sender, tokenId), "ERC721: not approved sender"); if (_isEventRegistered(HolographERC721Event.beforeApprove)) { require(SourceERC721().beforeApprove(tokenOwner, to, tokenId)); } _tokenApprovals[tokenId] = to; emit Approval(tokenOwner, to, tokenId); if (_isEventRegistered(HolographERC721Event.afterApprove)) { require(SourceERC721().afterApprove(tokenOwner, to, tokenId)); }
}
`
There is not length check in sourceMintBatch() function.
HolographERC20.sol
sourceMintBatch() function raises error when length's wallets is higher than amounts.
Also, the process will finish ok when sending more amounts than wallets. I think it is more an user responsibility but, it could be a reason to raise this issue as medium because this will finish ok but not all the desired wallets were provided to the method. So, a research should be placed to know what happened with missing wallets.
modify sourceMintBatch function to revert in case array's length are not equals:
`
function sourceMintBatch(address[] calldata wallets, uint256[] calldata amounts) external onlySource { require(wallets.length == wallets.length, "Array's length are not equals"); for (uint256 i = 0; i < wallets.length; i++) { _mint(wallets[i], amounts[i]); } }
`
There is not input check in getPodOperatorsLength() and getPodOperators() functions.
HolographERC20.sol
getPodOperatorsLength() and getPodOperators() functions raise underflow error when length's _operatorPods and pods parameter are equals to 0.
modify getPodOperatorsLength() and getPodOperators() functions to revert in case _operatorPods.length is equals to 0 and keep existing validation:
`
function getPodOperatorsLength(uint256 pod) external view returns (uint256) { require(_operatorPods.length != 0 && _operatorPods.length >= pod, "HOLOGRAPH: pod does not exist"); return _operatorPods[pod - 1].length; }
`