Back to asgeir's contests

Escher contest - asgeir's results

A decentralized curated marketplace for editioned artwork.

General Information

Platform: Code4rena

Start Date: 06/12/2022

Pot Size: $36,500 USDC

Total HM: 16

Participants: 119

Period: 3 days

Judge: berndartmueller

Total Solo HM: 2

Id: 189

League: ETH

Escher

Findings Distribution

Researcher Performance

Rank: 107/119

Findings: 1

Award: $0.61

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryEscher

Findings Information

🌟 Selected for report: RaymondFam

Also found by: 0xdeadbeef0x, 0xhacksmithh, AkshaySrivastav, Awesome, Bnke0x0, CRYP70, HollaDieWaldfee, JC, Parth, Rahoz, Tutturu, __141345__, ahmedov, ajtra, asgeir, aviggiano, bin2chen, btk, carrotsmuggler, cccz, chaduke, cryptonue, dic0de, fatherOfBlocks, fs0c, hansfriese, jonatascm, karanctf, ladboy233, lumoswiz, martin, obront, pashov, pauliax, rvierdiiev, shark, simon135, supernova, tourist, yellowBirdy, zapaz, zaskoh

Awards

0.6136 USDC - $0.61

Labels

bug
2 (Med Risk)
satisfactory
duplicate-99

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/LPDA.sol#L86

Vulnerability details

Impact

After a mint sale using LPDA, all the Ether can be locked in the LPDA contract indefinitely.

Proof of Concept

In the src/minters/* contracts, the .transfer() function is used for sending Ether. It is used for sending fees to the feeReceiver, and in the src/minters/LPDA.sol contract, it is also used for sending Ether to the saleReceiver.

In both cases, this transfer function will revert if the receiving address is for a contract with a receive (or fallback function if there are no receive functions) that uses more than 2300 gas or, for other reasons, fail.

In the case of transfers to the feeReceiver, it would be possible to set a new feeRecever (via the setFeeReceiver function in the factory). However, in the case of the transfers to the saleReceiver reverting, there is no redemption since the saleReceiver can not be changed. Also, this could likely not be discovered before the sale of the final NFT. In this case, the Ether will be locked in the contract indefinitely. https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/LPDA.sol#L86

Tools Used

Foundry

To mitigate this, the Ether should be sent using a call instead. And adding a Reetransy guard (even though I can't see any reentrance vulnerability, it can be good hygiene to mitigate reentrance when later updating the contracts).

#0 - c4-judge

2022-12-10T00:32:59Z

berndartmueller marked the issue as duplicate of #99

#1 - c4-judge

2023-01-03T12:49:12Z

berndartmueller marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter