Platform: Code4rena
Start Date: 13/12/2022
Pot Size: $36,500 USDC
Total HM: 5
Participants: 77
Period: 3 days
Judge: gzeon
Total Solo HM: 1
Id: 191
League: ETH
Rank: 42/77
Findings: 1
Award: $45.71
🌟 Selected for report: 0
🚀 Solo Findings: 0
45.7078 USDC - $45.71
https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDraw.sol#L90 https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDraw.sol#L93
Owner can wait until recoverTimelock is greater than the current block.timestamp, call startDraw then call lastResortTimelockOwnerClaim which allows him to retrieve the NFT immediately.
Customers may lose their money if they paid for the drawingToken only for the owner to rug them.
operator initializes a drawing
operator waits a week
operator calls the startDraw function immediately followed by a call to lastResortTimelockOwnerClaim
operator is able to retrieve the NFT
Start recoveryTimelock when the owner calls startDraw.
#0 - iainnash
2022-12-19T20:24:01Z
Would argue that this is by design since the recoveryTimelock is a fixed time and not an offset that is shown to the user.
The admin not starting the auction in the given time has the same effect of this as well. The intention is for startDraw to be called after starting the auction so the same outcome could exist just with a longer time buffer for the waiting for a week.
#1 - c4-sponsor
2023-01-01T18:31:17Z
iainnash marked the issue as sponsor disputed
#2 - c4-sponsor
2023-01-01T18:31:28Z
iainnash marked the issue as disagree with severity
#3 - iainnash
2023-01-01T18:32:07Z
Pushed the wrong button – meant to say "Disagree with Severity".
#4 - c4-judge
2023-01-07T17:00:35Z
gzeon-c4 changed the severity to QA (Quality Assurance)
#5 - c4-judge
2023-01-07T17:00:50Z
gzeon-c4 marked the issue as grade-b