Platform: Code4rena
Start Date: 18/10/2022
Pot Size: $75,000 USDC
Total HM: 27
Participants: 144
Period: 7 days
Judge: gzeon
Total Solo HM: 13
Id: 170
League: ETH
Rank: 97/144
Findings: 2
Award: $6.83
🌟 Selected for report: 0
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-10-holograph/blob/main/src/HolographOperator.sol#L283 https://github.com/code-423n4/2022-10-holograph/blob/main/src/HolographOperator.sol#L804
If the selected operator fails to complete a job by calling executeJob(), it can be slashed by an other user. When the allowed duration has expired, 5 fallback operators can execute the job while timeDifference < 6. After that delay, any user can execute it and be rewarded with utility tokens.
In that case, any user can execute an expired job to slash the selected operator, not only registered operators. But if the user is not a registered operator, he will be unable to retrieve his gains from the contract, they will be frozen. He will be unable to get them through unbondUtilityToken() as _bondedOperators[operator] will be equal to 0 and he will not be able to register as an operator because _bondedAmounts[operator] will be greater than 0.
crossChainMessage() and an operator is selected to execute itexecuteJob() during the allowed delayexecuteJob() during the fallback delayexecuteJob() to execute it_getBaseBondAmount(pod) utility tokens are internaly transfered to the user (L276-L283)unbondUtilityToken() due to the _bondedOperators[operator] != 0 requirement (L804)_bondedAmounts[operator] == 0 requirement (L758)Manual review.
Allow the user to retrieve his gains or prevent him to gain them.
#0 - gzeoneth
2022-10-30T16:29:13Z
Duplicate of #322
🌟 Selected for report: Rolezn
Also found by: 0x1f8b, 0x52, 0x5rings, 0xNazgul, 0xSmartContract, 0xZaharina, 0xhunter, 0xzh, 8olidity, Amithuddar, Aymen0909, B2, Bnke0x0, Chom, Deivitto, Diana, Diraco, Dravee, Franfran, JC, Jeiwan, Josiah, JrNet, Jujic, KingNFT, KoKo, Lambda, Margaret, Migue, Ocean_Sky, PaludoX0, Picodes, Rahoz, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Shinchan, Tagir2003, Trust, Waze, Yiko, __141345__, a12jmx, adriro, ajtra, arcoun, aysha, ballx, bin2chen, bobirichman, brgltd, bulej93, catchup, catwhiskeys, caventa, cccz, cdahlheimer, ch0bu, chaduke, chrisdior4, cloudjunky, cryptostellar5, cryptphi, csanuragjain, cylzxje, d3e4, delfin454000, djxploit, durianSausage, erictee, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, hansfriese, i_got_hacked, ignacio, imare, karanctf, kv, leosathya, louhk, lukris02, lyncurion, m_Rassska, malinariy, martin, mcwildy, mics, minhtrng, nicobevi, oyc_109, pashov, peanuts, pedr02b2, peiw, rbserver, ret2basic, rotcivegaf, rvierdiiev, ryshaw, sakman, sakshamguruji, saneryee, securerodd, seyni, sikorico, svskaushik, teawaterwire, tnevler, w0Lfrum
0 USDC - $0.00
https://github.com/code-423n4/2022-10-holograph/blob/main/src/HolographFactory.sol#L118-L121 https://github.com/code-423n4/2022-10-holograph/blob/main/src/HolographFactory.sol#L234-L235
When deploying an holographable smart contract, the deployHolographableContract() method requires a signature to verify that the original creator's configuration has not been altered.
The signature verification checks the result of ecrecover() with an externally provided signer address. The result of ecrecover() and the signer address are not checked against address(0) so the verification can be bypassed by providing address(0) as the signer address.
deployHolographableContract() with signer equal to address(0)deployHolographableContract() methods call _verifySigner() to validate the signatureercrecover() calls return address(0) as the signatures are invalid but this is equal to signer_verifySigner() function returns true, although the signature is invalidManual review.
Verify the return value of ecrecover() against address(0).
#0 - gzeoneth
2022-10-30T15:27:20Z
Duplicate of #357
#1 - gzeoneth
2022-11-21T07:16:36Z
As QA report