Platform: Code4rena
Start Date: 26/07/2022
Pot Size: $75,000 USDC
Total HM: 29
Participants: 179
Period: 6 days
Judge: LSDan
Total Solo HM: 6
Id: 148
League: ETH
Rank: 30/179
Findings: 5
Award: $409.44
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: berndartmueller
Also found by: 0x1f8b, 0x52, 0xA5DF, 0xsanson, CRYP70, GimelSec, Krow10, TrungOre, auditor0517, hansfriese, hyh, panprog, rajatbeladiya, rbserver, teddav
93.2805 USDC - $93.28
Denial of Service because ve always is address(0)
There is no initial setup for ve variable in contract RewardDistributor. So if we want to set ve variable, we will need to call function addVoteEscrow().
function addVoteEscrow(address _voteEscrow) external onlyOwner { if (address(ve) == address(0)) { ve = VE(pendingVoteEscrow); } else { voteEscrowEnableDate = block.timestamp + 1 days; pendingVoteEscrow = _voteEscrow; } }
Function addVoteEscrow() will check address(ve) == address(0) or not. Cause there is no initialization for ve, it will set ve = VE(pendingVoteEscrow). But at this time, pendingVoteEscrow is address(0) too.
==> ve == address(0) forever
Manual review
change function to
function addVoteEscrow(address _voteEscrow) external onlyOwner { if (address(ve) == address(0)) { ve = VE(_voteEscrow); } else { voteEscrowEnableDate = block.timestamp + 1 days; pendingVoteEscrow = _voteEscrow; } }
#0 - okkothejawa
2022-08-04T12:27:23Z
Duplicate of #611
🌟 Selected for report: CertoraInc
Also found by: 0xA5DF, 0xsanson, Bahurum, GalloDaSballo, MEP, TrungOre, carlitox477, cryptphi, kenzo
280.8379 USDC - $280.84
User can't transfer/transferFrom NFT
Function transfer() and transferFrom() will execute internal function _transferFrom() in contract VoteEscrowDelegation.sol.
Function _transferFrom() use command
this.removeDelegation(_tokenId);
to remove the delegation. But use this. will let the function execute a external call to itself. That will make the requirement
require(ownerOf(tokenId) == msg.sender, 'VEDelegation: Not allowed');
failed, cause the current msg.sender now is its address (not the origin sender and not the owner of nft).
Manual review
delete this. to make a internal call.
// this.removeDelegation(_tokenId); removeDelegation(_tokenId);
#0 - KenzoAgada
2022-08-02T05:50:04Z
Duplicate of #377
🌟 Selected for report: cloudjunky
Also found by: 0x1f8b, 0x4non, 0x52, 0xDjango, 0xHarry, 0xNazgul, 0xNineDec, 0xf15ers, 0xsanson, 0xsolstars, 8olidity, Bnke0x0, CertoraInc, Chom, Deivitto, Dravee, GalloDaSballo, GimelSec, IllIllI, Jmaxmanblue, JohnSmith, Jujic, Kenshin, Krow10, Lambda, MEP, Noah3o6, RedOneN, Ruhum, StErMi, StyxRave, TomJ, Treasure-Seeker, TrungOre, _Adam, __141345__, arcoun, asutorufos, bardamu, bearonbike, bin2chen, brgltd, bulej93, c3phas, cRat1st0s, carlitox477, cccz, codexploder, cryptonue, cryptphi, cthulhu_cult, dharma09, dipp, djxploit, durianSausage, ellahi, giovannidisiena, hansfriese, horsefacts, hyh, immeas, indijanc, jayjonah8, jayphbee, joestakey, kenzo, kyteg, ladboy233, minhquanym, navinavu, obront, oyc_109, peritoflores, rbserver, reassor, rokinot, rotcivegaf, saian, scaraven, shenwilly, simon135, sseefried, teddav, zzzitron
0.0037 USDC - $0.00
To withdraw eth it uses transfer(), this trnansaction will fail inevitably when : -
The withdrawer smart contract does not implement a payable function.
Withdrawer smart contract does implement a payable fallback which uses more than 2300 gas unit
The withdrawer smart contract implements a payable fallback function whicn needs less than 2300 gas unit but is called through proxy that raise the call's gas usage above 2300
https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/
Manual review
use call() to send eth
#0 - KenzoAgada
2022-08-03T14:03:23Z
Duplicate of #343
🌟 Selected for report: TomJ
Also found by: 0x4non, 0x52, 0xDjango, 0xNazgul, 0xf15ers, 0xsanson, 8olidity, Bnke0x0, CertoraInc, Ch_301, Chom, Dravee, GalloDaSballo, GimelSec, JC, Jujic, Kenshin, Kumpa, Lambda, M0ndoHEHE, PaludoX0, RedOneN, Ruhum, Sm4rty, Treasure-Seeker, TrungOre, Twpony, Waze, _Adam, __141345__, apostle0x01, arcoun, benbaessler, bin2chen, brgltd, cccz, cloudjunky, cryptonue, djxploit, ellahi, erictee, hansfriese, i0001, minhquanym, oyc_109, peritoflores, rbserver, reassor, rokinot, rotcivegaf, saian, shenwilly, sseefried
0.1513 USDC - $0.15
https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/core/GolomTrader.sol#L301 https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/core/GolomTrader.sol#L361 https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/core/GolomTrader.sol#L236
In the function fillBid() of contract PrizePool, when transfering ERC721 tokens to the msg.sender, the transferFrom keyword is used instead of safeTransferFrom. If any msg.sender is a contract and not aware of incoming ERC721 tokens, the sent tokens could be locked.
https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/
Manual review
Consider changing transferFrom to safeTransferFrom
#0 - KenzoAgada
2022-08-03T15:05:15Z
Duplicate of #342
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0x52, 0xA5DF, 0xDjango, 0xLovesleep, 0xNazgul, 0xNineDec, 0xSmartContract, 0xackermann, 0xc0ffEE, 0xf15ers, 0xmatt, 0xsanson, 0xsolstars, 8olidity, AuditsAreUS, Bahurum, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chom, CryptoMartian, Deivitto, DevABDee, Dravee, ElKu, Franfran, Funen, GalloDaSballo, GimelSec, GiveMeTestEther, Green, JC, Jmaxmanblue, JohnSmith, Jujic, Junnon, Kenshin, Krow10, Kumpa, Lambda, MEP, Maxime, MiloTruck, Mohandes, NoamYakov, Picodes, RedOneN, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, Soosh, StErMi, StyxRave, Tadashi, TomJ, Treasure-Seeker, TrungOre, Waze, _Adam, __141345__, ajtra, ak1, apostle0x01, arcoun, asutorufos, async, benbaessler, berndartmueller, bin2chen, brgltd, c3phas, cRat1st0s, carlitox477, chatch, codetilda, codexploder, cryptonue, cryptphi, csanuragjain, cthulhu_cult, delfin454000, dipp, dirk_y, djxploit, ellahi, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, horsefacts, hyh, idkwhatimdoing, indijanc, jayfromthe13th, jayphbee, joestakey, kenzo, kyteg, lucacez, luckypanda, mics, minhquanym, obront, oyc_109, pedr02b2, rajatbeladiya, rbserver, reassor, robee, rokinot, rotcivegaf, sach1r0, saian, saneryee, sashik_eth, scaraven, shenwilly, simon135, sseefried, supernova, teddav, ych18, zuhaibmohd, zzzitron
35.1687 USDC - $35.17
tags: c4, 2022-07-golom, QA
change 'mgmtm' to another message, example 'not enough value' https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol/#L217
function fillBid and fillCriteriaBid: sender should send msg.value to p.paymentAddress instead of signer
uint256 protocolFee = ((o.totalAmt * 50) / 10000) * amount; require( o.totalAmt * amount >= (o.exchange.paymentAmt + o.prePayment.paymentAmt + o.refererrAmt) * amount + p.paymentAmt + protocolfee ); // cause bidder eth is paying for seller payment p , dont take anything extra from seller
Because o.totalAmt should include protocolFee
fillCriteriaBid similarlyweth to WETH9 cause ERC20 has no function called deposit()
https://github.com/code-423n4/2022-07-golom/blob/main/contracts/rewards/RewardDistributor.sol#L69console.loghttps://github.com/code-423n4/2022-07-golom/blob/main/contracts/rewards/RewardDistributor.sol#L99
rewardToken.decimals() instead of hard coding 18https://github.com/code-423n4/2022-07-golom/blob/main/contracts/rewards/RewardDistributor.sol#L100
protocolfee -> protocolFee https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L381-L384
(epoch) -> epoch https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/rewards/RewardDistributor.sol#L106
safeTransfer instead of transferMIN_VOTING_POWER_REQUIRED -> minVotingPowerRequired
https://github.com/code-423n4/2022-07-golom/blob/main/contracts/vote-escrow/VoteEscrowDelegation.sol#L50