Platform: Code4rena
Start Date: 12/09/2022
Pot Size: $75,000 USDC
Total HM: 19
Participants: 110
Period: 7 days
Judge: HardlyDifficult
Total Solo HM: 9
Id: 160
League: ETH
Rank: 29/110
Findings: 1
Award: $141.35
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Lambda
Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xDanielC, 0xNazgul, 0xSmartContract, 0xbepresent, Anth3m, Aymen0909, B2, CRYP70, CertoraInc, Ch_301, Chom, ChristianKuri, CodingNameKiki, Deivitto, Funen, JC, JansenC, Jeiwan, KIntern_NA, MasterCookie, MiloTruck, Olivierdem, PaludoX0, R2, RaymondFam, ReyAdmirado, StevenL, The_GUILD, Tomo, Trust, V_B, __141345__, asutorufos, ayeslick, bin2chen, brgltd, bulej93, c3phas, cccz, ch0bu, cryptphi, csanuragjain, d3e4, delfin454000, djxploit, erictee, fatherOfBlocks, gogo, hansfriese, indijanc, ladboy233, leosathya, lukris02, malinariy, martin, pedr02b2, pfapostol, rvierdiiev, slowmoses, smiling_heretic, tnevler, wagmi
141.3476 USDC - $141.35
The docs say that a crowdfund should only use trusted market wrappers but how would an average person know if the crowdfund they’re contributing to is using a trusted market wrapper? The potential impact is described in part below.
An operator deploys an Auction Crowdfund with a malicious market wrapper.
Auction Crowdfund delegate calls the market wrapper. As a result, the malicious market wrapper can manipulate everything within the Auction Crowdfunds context except for immutable & constant variables.
With this, the operator can create a market wrapper that:
Drains the ETH from the contract.
Doesn’t bid when the function is called but instead sends the ETH to an address the operator controls.
Changes the nftContract variable to a custom NFT that the operator transfers to the contract. When the finalize function is called it checks for this custom contract and creates a party around the wrong NFT
Calls another operator-controlled contract that does the bidding. If the auction is successful, the NFT goes to the operator-controlled contract. When finalize is called it will show that it was unsuccessful because the contract does not have the NFT. In a nutshell, the operator is able to use Auction funds to win the NFT but the contributors get nothing.
Hash and store all of the variables before and after the delegate call to the market wrapper then compare the results after to make sure nothing was modified. Similar to the way governanceOpts is checked.
OR
Restrict the market wrappers creators can use.
OR
Provide a set of trusted market wrappers. If a crowdfund creator uses a market wrapper that isn’t trusted highlight this so contributors can make an informed decision.
#0 - merklejerk
2022-09-21T18:18:48Z
Duplicate of #198
#1 - HardlyDifficult
2022-09-30T21:21:30Z
See dupe for context.
Converting into a QA report for the warden.