Back to RaymondFam's contests

Art Gobblers contest - RaymondFam's results

Experimental Decentralized Art Factory By Justin Roiland and Paradigm.

General Information

Platform: Code4rena

Start Date: 20/09/2022

Pot Size: $100,000 USDC

Total HM: 4

Participants: 109

Period: 7 days

Judge: GalloDaSballo

Id: 163

League: ETH

Art Gobblers

Findings Distribution

Researcher Performance

Rank: 11/109

Findings: 2

Award: $2,830.23

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryArt Gobblers

Findings Information

🌟 Selected for report: wagmi

Also found by: 0x52, CertoraInc, Lambda, RaymondFam, arcoun

Labels

bug
duplicate
2 (Med Risk)
edited-by-warden

Awards

2775.0325 USDC - $2,775.03

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L458 https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/utils/token/GobblersERC721.sol#L166

Vulnerability details

Impact

The mapping of user addresses to their account data could have gobblersOwned doubly incremented, messing up the account tally in the mapping below that is inherited by ArtGobblers.sol:

https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/utils/token/GobblersERC721.sol#L44

This could affect or disrupt all future function calls associated with it.

Proof of Concept

Whenever a Dutch auction were to be concluded for a legendary gobbler, the comment on line 457 of ArtGobblers.sol would say 1 being added to getUserData[msg.sender].gobblersOwned to factor in the new legendary. However, when the inherited _mint(msg.sender, gobblerId) was called on line 469, getUserData[to].gobblersOwned would end up incremented again in line 166 of GobblersERC721.sol.

Refactor line 458 of ArtGobblers.sol as follows:

            getUserData[msg.sender].gobblersOwned = uint32(getUserData[msg.sender].gobblersOwned - cost);

or, remove lines 165 - 167 of GobblersERC721.sol.

#0 - Shungy

2022-09-28T15:23:36Z

Duplicate: https://github.com/code-423n4/2022-09-artgobblers-findings/issues/333

#1 - GalloDaSballo

2022-09-29T20:35:58Z

Dup of https://github.com/code-423n4/2022-09-artgobblers-findings/issues/333

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xNazgul, 0xRobocop, 0xSmartContract, 0xdeadbeef, 0xsanson, 8olidity, Amithuddar, Aymen0909, B2, B353N, CertoraInc, Ch_301, Chom, CodingNameKiki, Deivitto, ElKu, Funen, JC, JohnnyTime, Kresh, Lambda, Noah3o6, RaymondFam, ReyAdmirado, RockingMiles, Rolezn, Sm4rty, SuldaanBeegsi, Tadashi, TomJ, Tomio, V_B, Waze, __141345__, a12jmx, ak1, arcoun, asutorufos, aviggiano, berndartmueller, bharg4v, bin2chen, brgltd, bulej93, c3phas, catchup, cccz, ch0bu, cryptonue, cryptphi, csanuragjain, delfin454000, devtooligan, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, ignacio, joestakey, ladboy233, lukris02, m9800, malinariy, martin, minhtrng, obront, oyc_109, pedr02b2, pedroais, pfapostol, philogy, prasantgupta52, rbserver, ronnyx2017, rotcivegaf, rvierdiiev, sach1r0, shung, simon135, throttle, tnevler, tonisives, wagmi, yixxas, zkhorse, zzykxx, zzzitron

Awards

55.1985 USDC - $55.20

Labels

bug
disagree with severity
QA (Quality Assurance)
edited-by-warden

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L311-L321 https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/Pages.sol#L177-L183 https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/utils/rand/ChainlinkV1RandProvider.sol#L55-L58 https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/Goo.sol#L83-L84 https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/utils/GobblerReserve.sol#L24

Vulnerability details

Impact

Zero address/value and/or empty string/bytes checks should be implemented at the constructor. In the event a mistake was made, not only that all calls associated with this incident would be non-functional, the contract would also need to be redeployed if no setter functions were catered for these affected state variables.

Proof of Concept

As an example, one or more of the following scenarios associated with ArtGobblers.sol could transpire, rendering the deployed contract obsolete:

  1. A zero address could accidentally be assigned to goo, pages, team, community or randProvider.
  2. An empty string might be assigned to BASE_URI or UNREVEALED_URI.
  3. A zero value might be assigned to minStart.
  4. An empty byte might also be assigned to merkleRoot.

As an example, the following lines of codes should be inserted to the constructor body of ArtGobblers.sol:

if (_mintStart == 0) revert ZeroValue();
if (_merkleRoot == "") revert EmptyByte();
if (_goo == address(0) || _pages == address(0) || _team == address(0) || _community == address(0)
    _randProvider == address(0)) revert AddressZero();
if (BASE_URI == "" || UNREVEALED_URI == "") revert EmptyString();

Note: The custom errors will have to be declared above the constructor.

#0 - Shungy

2022-09-28T15:33:26Z

This should be in QA report as it is at best a low risk. Also they are having the deployment script audited as well to ensure the deployment parameters are set correctly. Therefore having zero address checks and such can be redundant.

#1 - GalloDaSballo

2022-10-09T22:10:24Z

Zero addess -> Low severity

L

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter