Back to Rahoz's contests

Escher contest - Rahoz's results

A decentralized curated marketplace for editioned artwork.

General Information

Platform: Code4rena

Start Date: 06/12/2022

Pot Size: $36,500 USDC

Total HM: 16

Participants: 119

Period: 3 days

Judge: berndartmueller

Total Solo HM: 2

Id: 189

League: ETH

Escher

Findings Distribution

Researcher Performance

Rank: 116/119

Findings: 1

Award: $0.61

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryEscher

Findings Information

🌟 Selected for report: RaymondFam

Also found by: 0xdeadbeef0x, 0xhacksmithh, AkshaySrivastav, Awesome, Bnke0x0, CRYP70, HollaDieWaldfee, JC, Parth, Rahoz, Tutturu, __141345__, ahmedov, ajtra, asgeir, aviggiano, bin2chen, btk, carrotsmuggler, cccz, chaduke, cryptonue, dic0de, fatherOfBlocks, fs0c, hansfriese, jonatascm, karanctf, ladboy233, lumoswiz, martin, obront, pashov, pauliax, rvierdiiev, shark, simon135, supernova, tourist, yellowBirdy, zapaz, zaskoh

Awards

0.6136 USDC - $0.61

Labels

bug
2 (Med Risk)
satisfactory
duplicate-99

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/FixedPrice.sol#L109 https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/OpenEdition.sol#L92 https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/LPDA.sol#L85

Vulnerability details

Impact

In three contracts FixedPrice, LPDA and OpenEdition, when contract finish sale and transfer some amount to feeReceiver then if feeReceiver is a contract which contain logic inside fallback function, it can be fail the execution because .transfer() hardcode 2300 gas limit. Also can be fail when transfer to saleReceiver in LPDA

Proof of Concept

https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/FixedPrice.sol#L109 https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/OpenEdition.sol#L92 https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/LPDA.sol#L85

Consider to use .call and check transaction is success or not.

(bool success,) = ISaleFactory(factory).feeReceiver().call{value: address(this).balance / 20}("");
require(success, "Transfer error");

// Contract LDPA with function buy
function buy(uint256 _amount) external payable {
    ...
    if (newId == temp.finalId) {
        sale.finalPrice = uint80(price);
        uint256 totalSale = price * amountSold;
        uint256 fee = totalSale / 20;
				(bool success1,) = ISaleFactory(factory).feeReceiver().call{value: fee}("");
				require(success1, "Transfer error");
				(bool success2,) = temp.saleReceiver.call{value: totalSale - fee}("");
				require(success2, "Transfer error");
        _end();
    }
}

#0 - c4-judge

2022-12-10T12:07:30Z

berndartmueller marked the issue as duplicate of #99

#1 - c4-judge

2023-01-03T12:49:24Z

berndartmueller marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter