Back to auditor0517's contests

Fractional v2 contest - auditor0517's results

A collective ownership platform for NFTs on Ethereum.

General Information

Platform: Code4rena

Start Date: 07/07/2022

Pot Size: $75,000 USDC

Total HM: 32

Participants: 141

Period: 7 days

Judge: HardlyDifficult

Total Solo HM: 4

Id: 144

League: ETH

Fractional

Findings Distribution

Researcher Performance

Rank: 90/141

Findings: 1

Award: $81.30

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFractional

Findings Information

🌟 Selected for report: dipp

Also found by: 0x52, Lambda, PwnedNoMore, Ruhum, Treasure-Seeker, ak1, auditor0517, hansfriese, jonatascm, kenzo, panprog, smiling_heretic, xiaoming90

Labels

bug
duplicate
3 (High Risk)

Awards

81.2985 USDC - $81.30

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/modules/Migration.sol#L433-L482

Vulnerability details

Impact

Users might steal more shares of new fractions using Migration.migrateFractions(). This function is called after successful migration and it doesn't reset the user's contribution.

Proof of Concept

The user's contribution must be reset after this one.

Otherwise users can get additional shares by calling this function repeatedly.

Tools Used

Manual Review

Recommend inserting below codes at L464

userProposalEth[_proposalId][msg.sender] = 0;
userProposalFractions[_proposalId][msg.sender] = 0;

#0 - 0x0aa0

2022-07-21T16:12:06Z

Duplicate of #460

#1 - HardlyDifficult

2022-08-11T17:19:04Z

Duping to https://github.com/code-423n4/2022-07-fractional-findings/issues/467

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter