Back to Viktor_Cortess's contests

Arcade.xyz - Viktor_Cortess's results

The first of its kind Web3 platform to enable liquid lending markets for NFTs.

General Information

Platform: Code4rena

Start Date: 21/07/2023

Pot Size: $90,500 USDC

Total HM: 8

Participants: 60

Period: 7 days

Judge: 0xean

Total Solo HM: 2

Id: 264

League: ETH

Arcade.xyz

Findings Distribution

Researcher Performance

Rank: 41/60

Findings: 1

Award: $312.74

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryArcade.xyz

Findings Information

🌟 Selected for report: ktg

Also found by: 0x3b, 0xastronatey, 0xbranded, 0xmuxyz, 0xnev, BenRai, Viktor_Cortess, caventa, oakcobalt, sces60107

Labels

bug
2 (Med Risk)
satisfactory
duplicate-283

Awards

312.7392 USDC - $312.74

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-arcade/blob/f8ac4e7c4fdea559b73d9dd5606f618d4e6c73cd/contracts/NFTBoostVault.sol#L363-L371

Vulnerability details

Impact

The current situation presents an issue as it is impossible to identify the addresses of users who possess specific NFT tokens locked in the contract. Consequently, if a new multiplier is lower than the previous one, a "malicious" user could exploit this loophole to avoid triggering the function updateVotingPower() and retain their previous voting power.

Proof of Concept

When the manager sets new multipliers, the _getMultipliers() function is employed to establish fresh values for particular tokens.

function setMultiplier(address tokenAddress, uint128 tokenId, uint128 multiplierValue) public override onlyManager {
    if (multiplierValue > MAX_MULTIPLIER) revert NBV_MultiplierLimit();

    NFTBoostVaultStorage.AddressUintUint storage multiplierData = _getMultipliers()[tokenAddress][tokenId];
    // set multiplier value
    multiplierData.multiplier = multiplierValue;

    emit MultiplierSet(tokenAddress, tokenId, multiplierValue);
}

Following this, someone must execute the function updateVotingPower(), which deals with user addresses.

function updateVotingPower(address[] calldata userAddresses) public override {
    if (userAddresses.length > 50) revert NBV_ArrayTooManyElements();

    for (uint256 i = 0; i < userAddresses.length; ++i) {
        NFTBoostVaultStorage.Registration storage registration = _getRegistrations()[userAddresses[i]];
        _syncVotingPower(userAddresses[i], registration);
    }
}

While the contract contains several getters, there is currently no viable method to locate users based on specific tokenIDs if updates to their voting powers are required after modifications. In the end, the user may remain unnoticed, and his votes will not be changed.

Tools Used

Tools Used

VS

To address this issue, it is advisable to add a function to the contract that retrieves the addresses of users associated with particular token addresses and tokenIDs. By utilizing the returned addresses, the function updateVotingPower() can be promptly called immediately after setting the new multiplier. This measure will help ensure that users' voting powers are accurately updated following any changes.

Assessed type

Context

#0 - c4-pre-sort

2023-07-30T08:39:08Z

141345 marked the issue as duplicate of #160

#1 - c4-pre-sort

2023-08-01T09:15:15Z

141345 marked the issue as duplicate of #431

#2 - c4-judge

2023-08-11T16:05:08Z

0xean marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter