Back to bin2chen's contests

Holograph contest - bin2chen's results

Omnichain protocol for deploying, minting, & bridging NFTs between blockchains.

General Information

Platform: Code4rena

Start Date: 18/10/2022

Pot Size: $75,000 USDC

Total HM: 27

Participants: 144

Period: 7 days

Judge: gzeon

Total Solo HM: 13

Id: 170

League: ETH

Holograph

Findings Distribution

Researcher Performance

Rank: 8/144

Findings: 2

Award: $2,594.44

QA:
grade-b

🌟 Selected for report: 1

🚀 Solo Findings: 1

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryHolograph

Findings Information

🌟 Selected for report: bin2chen

Labels

bug
2 (Med Risk)
sponsor confirmed
selected for report
responded

Awards

2538.7702 USDC - $2,538.77

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/src/enforcer/HolographERC721.sol#L392

Vulnerability details

Impact

beforeApprovalAll() / afterApprovalAll() can only pass "to" and "approved", missing "owner", if contract listening to this event,but does not know who approve it, so can not react to this event Basically, this event cannot be used

Proof of Concept

  function setApprovalForAll(address to, bool approved) external {
....

    if (_isEventRegistered(HolographERC721Event.beforeApprovalAll)) {
      require(SourceERC721().beforeApprovalAll(to, approved)); /***** only to/approved ,need owner
    }  

    _operatorApprovals[msg.sender][to] = approved;

    if (_isEventRegistered(HolographERC721Event.afterApprovalAll)) {
      require(SourceERC721().afterApprovalAll(to, approved)); /***** only to/approved ,need owner
    }
  }

Tools Used

add parameter: owner

interface HolographedERC721 {
...

- function beforeApprovalAll(address _to, bool _approved) external returns (bool success);
+ function beforeApprovalAll(address owner, address _to, bool _approved) external returns (bool success);

- function afterApprovalAll(address _to, bool _approved) external returns (bool success);
+ function afterApprovalAll(address owner, address _to, bool _approved) external returns (bool success);

  function setApprovalForAll(address to, bool approved) external {

    if (_isEventRegistered(HolographERC721Event.beforeApprovalAll)) {
-     require(SourceERC721().beforeApprovalAll(to, approved)); 
+     require(SourceERC721().beforeApprovalAll(msg.sender,to, approved)); 
    }  

    _operatorApprovals[msg.sender][to] = approved;

    if (_isEventRegistered(HolographERC721Event.afterApprovalAll)) {
-      require(SourceERC721().afterApprovalAll(to, approved));
+      require(SourceERC721().afterApprovalAll(msg.sender,to, approved));
    }
  }

#0 - alexanderattar

2022-11-08T06:23:15Z

Good catch. This will be updated so that beforeApprovalAll and afterApprovalAll passes in owner

Findings Information

🌟 Selected for report: Rolezn

Also found by: 0x1f8b, 0x52, 0x5rings, 0xNazgul, 0xSmartContract, 0xZaharina, 0xhunter, 0xzh, 8olidity, Amithuddar, Aymen0909, B2, Bnke0x0, Chom, Deivitto, Diana, Diraco, Dravee, Franfran, JC, Jeiwan, Josiah, JrNet, Jujic, KingNFT, KoKo, Lambda, Margaret, Migue, Ocean_Sky, PaludoX0, Picodes, Rahoz, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Shinchan, Tagir2003, Trust, Waze, Yiko, __141345__, a12jmx, adriro, ajtra, arcoun, aysha, ballx, bin2chen, bobirichman, brgltd, bulej93, catchup, catwhiskeys, caventa, cccz, cdahlheimer, ch0bu, chaduke, chrisdior4, cloudjunky, cryptostellar5, cryptphi, csanuragjain, cylzxje, d3e4, delfin454000, djxploit, durianSausage, erictee, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, hansfriese, i_got_hacked, ignacio, imare, karanctf, kv, leosathya, louhk, lukris02, lyncurion, m_Rassska, malinariy, martin, mcwildy, mics, minhtrng, nicobevi, oyc_109, pashov, peanuts, pedr02b2, peiw, rbserver, ret2basic, rotcivegaf, rvierdiiev, ryshaw, sakman, sakshamguruji, saneryee, securerodd, seyni, sikorico, svskaushik, teawaterwire, tnevler, w0Lfrum

Awards

55.6726 USDC - $55.67

Labels

bug
QA (Quality Assurance)
sponsor confirmed
responded
grade-b

External Links

Link to GitHub issue

1: UNSAFE USAGE OF ERC20 TRANSFER

Some ERC20 tokens functions don’t return a boolean, for example USDT, BNB, OMG. So the Multiswap contract simply won’t work with tokens like that as the token.

The USDT’s transfer and transferFrom functions doesn’t return a bool, so the call to these functions will revert although the user has enough balance and the PA1D contract won’t work, assuming that token is USDT.

  function _payoutToken(address tokenAddress) private {
...
    for (uint256 i = 0; i < length; i++) {

      require(erc20.transfer(addresses[i], sending), "PA1D: Couldn't transfer token"); /**** UNSAFE USAGE OF ERC20 TRANSFER **/

    }
  }

Suggestions: Use the OpenZepplin’s safeTransfer and safeTransferFrom functions.

L2: configurePayouts() Add the judgment that payaddress cannot be address(0); PA1D.sol

  function configurePayouts(address payable[] memory addresses, uint256[] memory bps) public onlyOwner {

    for (uint256 i = 0; i < addresses.length; i++) {
+     require(addresses[i]!=address(0));
      totalBp = totalBp + bps[i];
    }
...
  }

L-03: Variable naming error

- function getDeploymentBlock() external view returns (address holograph) {
+ function getDeploymentBlock() external view returns (address blockHeight) {
    assembly {
-     holograph := sload(_blockHeightSlot)
+     blockHeight := sload(_blockHeightSlot)
    }
  }
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter