Platform: Code4rena
Start Date: 01/08/2022
Pot Size: $50,000 USDC
Total HM: 26
Participants: 133
Period: 5 days
Judge: Jack the Pug
Total Solo HM: 6
Id: 151
League: ETH
Rank: 10/133
Findings: 6
Award: $1,295.77
🌟 Selected for report: 0
🚀 Solo Findings: 0
165.6336 USDC - $165.63
Data+signature for previous calls of Community.escrow() can be called one more time by anyone, to reduce project's debt. It breaks all balances significantly between parties
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Community.sol#L508-L552 Community.escrow() reduces debt for a project. To call the function data+signature is required. If this transaction happened once, right to reduce debt are in onchain history. Anyone can call Community.escrow() now with these disclosed data+signature to reduce debt more and more.
Hardhat
Add nonce in data or store used data+signature
#0 - horsefacts
2022-08-06T20:29:18Z
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L386-L490 https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L330-L359
I have already commited the issue with the repeated calls of Project.changeOrder() by anyone. Here is a worse usecase - past subcontractor can steal funds from new subcontractor for task completed.
Subcontractor's fund for completion can be stolen by a previous subcontractor (if any). Bad subcontractor can frontrun setComplete() transaction, if he calls Project.changeOrder() with already disclosed data+signature, set himself an active subcontractor and receives funds from task completed.
Project.changeOrder() is used to change subcontractors for tasks and costs for tasks. Once this transaction is in history - it can be repeated by anyone using the same data+signature. And here is setComplete() function. https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L330-L359 It makes a task completed and transfers money to a subcontractor. The attack is:
Hardhat
Add nonce in data or store used data+signature
#0 - 0xA5DF
2022-08-11T15:32:34Z
Similar to #95, but not a dupe (only reusing signature, not re-completing a task).
Sidenote: this will only work if you have the signature of current SC, i.e. current SC was the SC when the changeOrder() was called in the first place.
Disclosure: #<h>95 is my bug
#1 - parv3213
2022-08-18T17:47:45Z
I say it a duplicate of https://github.com/code-423n4/2022-08-rigor-findings/issues/95
#2 - parv3213
2022-08-25T10:18:26Z
🌟 Selected for report: berndartmueller
423.254 USDC - $423.25
Anyone can create project. Creating project = mining NFT. At the beginning their owners are the same. But NFT means nothing, as with transferring NFT the ownership of the Project is not transferred (there is no way to change the builder for a project). It mean total dissinchronization between NFTs and Projects.
HomeFi.CreateProject() NFT allows transferring as it imports ERC721Upgradeable.sol Like in a deployed contract: https://rinkeby.etherscan.io/address/0x9361613391Ae3de8112F9571193268363B8704C5#writeProxyContract But Project.builder cannot be changed
Hardhat
Dissable transfership of change builders NFT is transferred.
#0 - jack-the-pug
2022-08-27T14:19:04Z
Duplicate of #413
🌟 Selected for report: MEP
Also found by: Haipls, byndooa, minhquanym
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L162-L182 https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L266-L293
It is expected that the data+signature for updateProjectHash() will be triggered once and for an exact project. But anyone can change a project hash, if he will find some easy matching parameters for another project.
Requirements to execute function for different projects with same inputs:
The same thing is for Project.updateTaskHash()
Hardhat
Add project_address to data like in Project.changeOrder()
#0 - parv3213
2022-08-17T06:43:11Z
Duplicate of #347
Anyone can frontrun initialization and feed any inputs. The project will not work. Some of inputs may allow project working, but can steal funds later (like HomeFi.treasury, HomeFi address in all contracts. Attacker can deploy his own contract with the hidden behavior, feed them to init() (as if it s a hobeFi contract) and steal funds when they appear on Community or Project contracts.
Below - Etherscan addresses with the transactions of contracts. Everywhere we see initialize() as a method for the first transaction - it means init() is a separate transaction after contract deploy.
[HomeFiProxy.sol] - deploy by EOA + init by EOA = in two transactions https://rinkeby.etherscan.io/address/0x5d00B82009E20E7fa4C1506d3D785702094C3828
[HomeFi.sol] - deployed by HomeFiProxy + init by EOA = in two transactions https://rinkeby.etherscan.io/address/0x9361613391Ae3de8112F9571193268363B8704C5
[Community.sol] - deployed by HomeFiProxy + init by EOA = in two transactions https://rinkeby.etherscan.io/address/0xDd725766c86B0BEe05A89b5587aAd4da3ACE37Ee
[Disputes.sol] - deployed by HomeFiProxy + init by EOA = in two transactions https://rinkeby.etherscan.io/address/0x448d745DeA689388CbAd5b1Bea8c204E9464C8C1
[ProjectFactory.sol] - deployed by HomeFiProxy + init by EOA = in two transactions https://rinkeby.etherscan.io/address/0xD2DE87906f78002058587123c31EDC43f94a6Bba
[DebtToken.sol] - deployed by HomeFiProxy + init by EOA = in two transactions https://rinkeby.etherscan.io/address/0x023b8c95230D20b8D961E1A3D865329ed68D948a
Also a proof - tests separate transactions too. Also a proof - initiateHomeFi() in HomeFiProxy deploys contracts without init()'s
Where everything is ok - Project.sol - Project both deployed initialized by ProjectFactory in one transaction.
Etherscan, Hardhat
Options:
#0 - 0xA5DF
2022-08-11T14:59:54Z
Duplicate of #6
🌟 Selected for report: Lambda
Also found by: 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xNineDec, 0xSmartContract, 0xSolus, 0xf15ers, 0xkatana, 0xsolstars, 8olidity, Aymen0909, Bahurum, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Extropy, Funen, GalloDaSballo, Guardian, IllIllI, JC, Jujic, MEP, Noah3o6, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, SooYa, Soosh, Throne6g, TomJ, Tomio, TrungOre, Waze, Yiko, _Adam, __141345__, a12jmx, ajtra, ak1, arcoun, asutorufos, ayeslick, benbaessler, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, byndooa, c3phas, codexploder, cryptonue, cryptphi, defsec, delfin454000, dipp, djxploit, erictee, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, horsefacts, hyh, ignacio, indijanc, joestakey, kaden, mics, minhquanym, neumo, obront, oyc_109, p_crypt0, pfapostol, poirots, rbserver, robee, rokinot, rotcivegaf, sach1r0, saian, samruna, saneryee, scaraven, sikorico, simon135, sseefried, supernova
40.6216 USDC - $40.62
Inputed _hash for HomeFi.sol is the URI for NFTs. Contracts do not check duplicates and do not check is it correct or not. It is not dangerous within smart-contracts (as NFT are not used much here), but it can be important together with frontend or backend. Hashes will not be unique.
createProject() https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFi.sol#L210-L232 mintNFT() https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFi.sol#L284-L297
Hardhat
Check is it necessary for NFT hashes to be unique - if so, write checks.