Platform: Code4rena
Start Date: 28/11/2022
Pot Size: $192,500 USDC
Total HM: 33
Participants: 106
Period: 11 days
Judge: LSDan
Total Solo HM: 15
Id: 186
League: ETH
Rank: 37/106
Findings: 3
Award: $603.51
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: hyh
Also found by: SmartSek, Trust, kaliberpoziomka8552
493.9624 USDC - $493.96
delete doesnt delete mapping inside a struct.
setPrice() wouldnt be able to change its price and any user or contract who queries the variable directly will receive stale/untruthful information.
Run forge test below.
// SPDX-License-Identifier: MIT pragma solidity ^0.8.0; import "ds-test/test.sol"; import "forge-std/Script.sol"; contract TestDeleteMappingInStruct is DSTest, Script { struct Token { bool enabled; mapping(address => uint256) balances; } /// @notice Mapping of token address to Token struct mapping(address => Token) public tokens; function testMapping() public { address tkn = address(0xB0FFED); address badBabe = address(0xBADBABE); uint256 balanceBB = 1_000_000; tokens[tkn].balances[badBabe] = balanceBB; delete tokens[tkn]; // should fail vm.expectRevert(); assert(tokens[tkn].balances[badBabe] == 0); } function testMappingSuccess() public { address tkn = address(0xB0FFED); address badBabe = address(0xBADBABE); uint256 balanceBB = 1_000_000; tokens[tkn].balances[badBabe] = balanceBB; delete tokens[tkn].balances[badBabe]; // should succeed assert(tokens[tkn].balances[badBabe] == 0); } } Variable affected:
/// @dev Original raw value to aggregate with // the NFT contract address -> FeederRegistrar which contains price from each feeder mapping(address => FeederRegistrar) public assetFeederMap;
struct FeederRegistrar { // if asset registered or not bool registered; // index in asset list uint8 index; // if asset paused,reject the price bool paused; // feeder -> PriceInformation mapping(address => PriceInformation) feederPrice; }
delete assetFeederMap[_asset];
Implement the following line:
delete assetFeederMap[_asset].feederPrice;
#0 - c4-judge
2022-12-20T16:42:50Z
dmvt marked the issue as duplicate of #244
#1 - c4-judge
2023-01-23T20:18:52Z
dmvt marked the issue as satisfactory
🌟 Selected for report: IllIllI
Also found by: 0x4non, 0x52, 0xAgro, 0xNazgul, 0xSmartContract, 0xackermann, 9svR6w, Awesome, Aymen0909, B2, BRONZEDISC, Bnke0x0, Deekshith99, Deivitto, Diana, Dravee, HE1M, Jeiwan, Kaiziron, KingNFT, Lambda, Mukund, PaludoX0, RaymondFam, Rolezn, Sathish9098, Secureverse, SmartSek, __141345__, ahmedov, ayeslick, brgltd, cccz, ch0bu, chrisdior4, cryptonue, cryptostellar5, csanuragjain, datapunk, delfin454000, erictee, gz627, gzeon, helios, i_got_hacked, ignacio, imare, jadezti, jayphbee, joestakey, kankodu, ksk2345, ladboy233, martin, nadin, nicobevi, oyc_109, pashov, pavankv, pedr02b2, pzeus, rbserver, ronnyx2017, rvierdiiev, shark, unforgiven, xiaoming90, yjrwkk
103.9175 USDC - $103.92
Users or contracts making calls directly to the smart contract will have their executeBatchBuyWithCredit() calls failing because the contract assumes parameters are in a certain order, even though there are no checks or logic enforcing such behaviour.
Any fault or hang up in the frontend would also lead to reverts.
This check should be done at the smart contract level because there is nothing preventing users to interact in this manner directly through the smart contract.
// Once we encounter a listing using WETH, then we convert all our ethLeft to WETH // this also means that the parameters order is very important // // frontend/sdk needs to guarantee that WETH orders will always be put after ALL // ETH orders, all ETH orders after WETH orders will fail // // eg. The following example image that the `taker` owns only ETH and wants to // batch buy bunch of NFTs which are listed using WETH and ETH // // batchBuyWithCredit([ETH, WETH, ETH]) => ko // | -> convert all ethLeft to WETH, 3rd purchase will fail // batchBuyWithCredit([ETH, ETH, ETH]) => ok // batchBuyWithCredit([ETH, ETH, WETH]) => ok //
Implement a check to ensure parameters are sent in the right order. A much more gas expensive alternative would be sorting them in the right order.
Please find below an instance of a similar issue where frontend input sanitization has been deemed to be insufficient: https://github.com/code-423n4/2022-06-canto-findings/issues/244#issuecomment-1205692351
#0 - c4-judge
2023-01-09T22:35:37Z
dmvt changed the severity to QA (Quality Assurance)
#1 - c4-judge
2023-01-25T15:54:21Z
dmvt marked the issue as grade-b