Platform: Code4rena
Start Date: 12/07/2022
Pot Size: $35,000 USDC
Total HM: 13
Participants: 78
Period: 3 days
Judge: 0xean
Total Solo HM: 6
Id: 135
League: ETH
Rank: 42/78
Findings: 2
Award: $73.08
š Selected for report: 0
š Solo Findings: 0
š Selected for report: joestakey
Also found by: 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 8olidity, Avci, Bahurum, Bnke0x0, Chom, ElKu, Funen, GimelSec, JC, Junnon, Kaiziron, Meera, PaludoX0, Picodes, ReyAdmirado, Sm4rty, Soosh, Waze, _Adam, __141345__, ak1, aysha, benbaessler, bin2chen, c3phas, cccz, cryptphi, csanuragjain, defsec, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, itsmeSTYJ, jonatascm, kyteg, mektigboy, oyc_109, pashov, rbserver, rishabh, robee, rokinot, sach1r0, sashik_eth, scaraven, simon135, slywaters
45.8807 USDC - $45.88
incorrect boolean logic in ERC20.sol permit function
if (recoveredAddress != address(0) && recoveredAddress != owner) { revert Invalid(msg.sender, owner); }
allowance[address(0)][attacker] = Any value.ecrecover() returns 0x0 if v is any other number than 27 or 28.address(0)Impact:
address(0) (maybe for burning/removing supply purposes), an attacker can use approve() and transferFrom() address(0) to their address and retrieve the tokens.Approval(owner, spender, value) event will also be emit even though in reality, the spender does not have approval of owner.Affected:
Recommendations:
require(recoveredAddress != address(0) && recoveredAddress == owner)
recoveredAddress == address(0) || recoveredAddress != owner (DeMorgan's Law)In MarketPlace.sol:
ISwivel(swivel).authRedeem(p, u, market.cTokenAddr, t, a);
ISwivel in Interfaces.sol contains the interface:
interface ISwivel { Ā function authRedeem(uint8 p, address u, address c, address t, uint256 a) external returns (bool); }
But Swivel.sol does not have such a function. (Closest to it) Only authRedeemZcToken().
Affected Code:
#0 - robrobbins
2022-08-31T00:05:13Z
demorgan's and interface issues addressed via other tickets
š Selected for report: joestakey
Also found by: 0x040, 0x1f8b, 0xDjango, 0xNazgul, 0xsam, Avci, Aymen0909, Bnke0x0, CRYP70, ElKu, Fitraldys, Funen, JC, Kaiziron, MadWookie, Meera, ReyAdmirado, Sm4rty, Soosh, TomJ, Waze, _Adam, __141345__, ajtra, benbaessler, c3phas, csanuragjain, durianSausage, exd0tpy, fatherOfBlocks, hake, ignacio, karanctf, kyteg, m_Rassska, oyc_109, rbserver, robee, rokinot, samruna, sashik_eth, simon135, slywaters
27.195 USDC - $27.20
if (!someFunction()) {revert Exception()}
someFunction() will always only return True (or revert). Because these functions will never return False, the additional check will never evaluate to True, and the revert Exceptions will never occur. That is to say, the checks serve no purpose.All instances of redundant if checks:
MarketPlace.sol
Swivel.sol: