Back to Tutturu's contests

Fractional v2 contest - Tutturu's results

A collective ownership platform for NFTs on Ethereum.

General Information

Platform: Code4rena

Start Date: 07/07/2022

Pot Size: $75,000 USDC

Total HM: 32

Participants: 141

Period: 7 days

Judge: HardlyDifficult

Total Solo HM: 4

Id: 144

League: ETH

Fractional

Findings Distribution

Researcher Performance

Rank: 74/141

Findings: 3

Award: $100.81

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFractional

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, Amithuddar, Avci, BowTiedWardens, Kthere, Limbooo, MEP, Ruhum, StyxRave, TomJ, Treasure-Seeker, TrungOre, Tutturu, Waze, bardamu, c3phas, cccz, codexploder, cryptphi, hake, horsefacts, hyh, oyc_109, pashov, peritoflores, scaraven, simon135, slywaters, sseefried, tofunmi, xiaoming90

Awards

1.3977 USDC - $1.40

Labels

bug
duplicate
2 (Med Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-fractional/blob/e2c5a962a94106f9495eb96769d7f60f7d5b14c9/src/modules/Migration.sol#L172 https://github.com/code-423n4/2022-07-fractional/blob/e2c5a962a94106f9495eb96769d7f60f7d5b14c9/src/modules/Migration.sol#L325

Vulnerability details

Impact

The depricated .transfer() function has a hardcoded gas limit of 2300 which due to an increase is opcode costs means that the function might revert when called by a multisig wallet, leading to the funds being locked up . Additionally, it might revert due to:

  1. The caller contract not implementing a payable function

  2. The caller contract implementing a payable fallback function that uses more than 2300 gas

Proof of Concept

The affected contract is Migration.sol, in functions leave() - L#172 and withdrawContribution - L#325

Since both functions follow the correct checks-effects-interactions pattern I recommend replacing .transfer() with a low level .call()

#0 - stevennevins

2022-07-19T21:51:04Z

Duplicate of #325

#1 - HardlyDifficult

2022-07-28T15:47:45Z

Duping to #504

Findings Information

🌟 Selected for report: xiaoming90

Also found by: 0x1f8b, 0x29A, 0x52, 0xA5DF, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xsanson, 0xsolstars, 242, 8olidity, Amithuddar, Aymen0909, Bnke0x0, BowTiedWardens, David_, Deivitto, ElKu, Funen, Hawkeye, IllIllI, JC, Kaiziron, Keen_Sheen, Kthere, Kulk0, Kumpa, Lambda, MEP, ReyAdmirado, Rohan16, Ruhum, Sm4rty, TomJ, Tomio, Treasure-Seeker, TrungOre, Tutturu, Viksaa39, Waze, _Adam, __141345__, ak1, apostle0x01, asutorufos, async, ayeslick, aysha, bbrho, benbaessler, berndartmueller, c3phas, cccz, chatch, cloudjunky, codexploder, cryptphi, delfin454000, dipp, durianSausage, dy, exd0tpy, fatherOfBlocks, hake, hansfriese, horsefacts, hubble, joestakey, jonatascm, kebabsec, kenzo, kyteg, mektigboy, neumo, oyc_109, pashov, pedr02b2, peritoflores, rajatbeladiya, rbserver, robee, rokinot, s3cunda, sach1r0, sahar, sashik_eth, scaraven, shenwilly, simon135, sorrynotsorry, sseefried, svskaushik, unforgiven, z3s, zzzitron

Awards

61.9379 USDC - $61.94

Labels

bug
QA (Quality Assurance)
sponsor disputed

External Links

Link to GitHub issue

1. Unused receive() will lock Ether into contracts

The following contracts define a payable receive function but have no way of withdrawing or utilizing the sent Ether, resulting in Ether being locked in the contracts. If the intention is to use the Ether that functionality should be added to the function, otherwise it should revert.

There are 3 instances of this issue:

  1. Buyout.sol#L53
  2. Migration.sol#L63
  3. Vault.sol#L32

Findings Information

🌟 Selected for report: joestakey

Also found by: 0x1f8b, 0x29A, 0xA5DF, 0xKitsune, 0xNazgul, 0xNineDec, 0xalpharush, 0xkatana, 0xsanson, 0xsolstars, 8olidity, Avci, Bnke0x0, BowTiedWardens, Chom, Deivitto, ElKu, Fitraldys, Funen, IllIllI, JC, Kaiziron, Lambda, Limbooo, MEP, NoamYakov, PwnedNoMore, RedOneN, ReyAdmirado, Rohan16, Ruhum, Saintcode_, Sm4rty, TomJ, Tomio, TrungOre, Tutturu, Waze, _Adam, __141345__, ajtra, apostle0x01, asutorufos, benbaessler, brgltd, c3phas, codexploder, cryptphi, delfin454000, dharma09, djxploit, durianSausage, fatherOfBlocks, giovannidisiena, gogo, horsefacts, hrishibhat, hyh, ignacio, jocxyen, jonatascm, karanctf, kebabsec, kyteg, m_Rassska, mektigboy, oyc_109, pedr02b2, rbserver, robee, rokinot, sach1r0, sashik_eth, simon135, slywaters

Awards

37.4668 USDC - $37.47

Labels

bug
G (Gas Optimization)
sponsor acknowledged

External Links

Link to GitHub issue

1. Unnecessary assignment of Status.VALUE to "required" variable

Removing this assignment and directly checking Status.LIVE, Status.INACTIVE, and Status.SUCCESS saves about 10 gas per run, which in case of batchWithdrawERC1155 can mean a few hundred gas.

The issue is found in: 1. Buyout.sol 2. Migration.sol

In Buyout.sol there are 10 instances of this issue:

  1. L#67
  2. L#121
  3. L#158
  4. L#199
  5. L#252
  6. L#284
  7. L#323
  8. L#355
  9. L#391
  10. L#428

In Migration.sol there are 6 instances of this issue:

  1. L#85
  2. L#117
  3. L#149
  4. L#190
  5. L#226
  6. L#441

2. Replace i++ in for loops with unchecked {++i}

Since both install() and uninstall() are callable only by owner, and it is unrealistic to go through 2^256 values required for overflow, this should be safe and will result in gas savings.

There are two instances of this issue in Vault.sol:

  1. install() - L#78
  2. uninstall() - L#104
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter