Platform: Code4rena
Start Date: 12/07/2022
Pot Size: $75,000 USDC
Total HM: 16
Participants: 100
Period: 7 days
Judge: LSDan
Total Solo HM: 7
Id: 145
League: ETH
Rank: 18/100
Findings: 2
Award: $534.36
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: wastewa
Also found by: Limbooo, PwnedNoMore, bin2chen, ronnyx2017
455.4935 USDC - $455.49
Judge has assessed an item in Issue #143 as Medium risk. The relevant finding follows:
2.ETHRegistrarController.register() can pass any "resolver" and "data" parameters , then ETHRegistrarController do "functionCall "
It is possible to pass malicious parameters example :
resolver = baseRegistrar.address, and data = baseRegistrar.register() then will register a “weird” ens
var tx = await controller.register( "testtest", registrantAccount, REGISTRATION_TIME, secret, baseRegistrar.address, //********resolver = baseRegistrar.address *******// [ baseRegistrar.interface.encodeFunctionData( //********data = baseRegistrar.register() *******// "register(uint256,address,uint256)", [ namehash.hash("testtest.eth"), registrantAccount, REGISTRATION_TIME * 10000, ] ), ], false, 0, 0, { value: BUFFERED_REGISTRATION_COST } );
Recommendation add:
require( resolver != address(base) && resolver != address(nameWrapper) && resolver != address(this) );
#0 - dmvt
2022-09-22T15:12:52Z
duplicate of #132
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 8olidity, Aussie_Battlers, Bnke0x0, Ch_301, Critical, Deivitto, Dravee, ElKu, Funen, GimelSec, JC, JohnSmith, Lambda, MiloTruck, PwnedNoMore, ReyAdmirado, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, TomJ, Waze, _Adam, __141345__, alan724, asutorufos, benbaessler, berndartmueller, bin2chen, brgltd, bulej93, c3phas, cRat1st0s, cryptonue, cryptphi, csanuragjain, delfin454000, dxdv, exd0tpy, fatherOfBlocks, gogo, hake, hyh, joestakey, kyteg, lcfr_eth, minhtrng, p_crypt0, pashov, pedr02b2, philogy, rajatbeladiya, rbserver, rishabh, robee, rokinot, sach1r0, sashik_eth, seyni, simon135, svskaushik, zuhaibmohd, zzzitron
78.8735 USDC - $78.87
1.ETHRegistrarController.renew() passing the wrong event NameRenewed parameters "cost" https://github.com/code-423n4/2022-07-ens/blob/ff6e59b9415d0ead7daf31c2ed06e86d9061ae22/contracts/ethregistrar/ETHRegistrarController.sol#L207
function renew(string calldata name, uint256 duration) external payable override { ..... emit NameRenewed(name, label, msg.value, expires); /**** change to: emit NameRenewed(name, label, price.base, expires); ****/ ..... }
2.ETHRegistrarController.register() can pass any "resolver" and "data" parameters , then ETHRegistrarController do "functionCall "
It is possible to pass malicious parameters example :
resolver = baseRegistrar.address, and data = baseRegistrar.register() then will register a “weird” ens
var tx = await controller.register( "testtest", registrantAccount, REGISTRATION_TIME, secret, baseRegistrar.address, //********resolver = baseRegistrar.address *******// [ baseRegistrar.interface.encodeFunctionData( //********data = baseRegistrar.register() *******// "register(uint256,address,uint256)", [ namehash.hash("testtest.eth"), registrantAccount, REGISTRATION_TIME * 10000, ] ), ], false, 0, 0, { value: BUFFERED_REGISTRATION_COST } );
Recommendation add:
require( resolver != address(base) && resolver != address(nameWrapper) && resolver != address(this) );
#0 - jefflau
2022-08-01T09:14:08Z