Platform: Code4rena
Start Date: 11/11/2022
Pot Size: $36,500 USDC
Total HM: 5
Participants: 62
Period: 3 days
Judge: berndartmueller
Id: 181
League: ETH
Rank: 32/62
Findings: 2
Award: $89.03
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rotcivegaf
Also found by: 0x4non, 0xDecorativePineapple, 9svR6w, Trust, V_B, adriro, ajtra, aviggiano, brgltd, carlitox477, chaduke, codexploder, corerouter, joestakey, ladboy233, s3cunda, saian, wait
66.8068 USDC - $66.81
https://github.com/code-423n4/2022-11-non-fungible/blob/323b7cbf607425dd81da96c0777c8b12e800305d/contracts/Exchange.sol#L161 https://github.com/code-423n4/2022-11-non-fungible/blob/323b7cbf607425dd81da96c0777c8b12e800305d/contracts/Exchange.sol#L209 https://github.com/code-423n4/2022-11-non-fungible/blob/323b7cbf607425dd81da96c0777c8b12e800305d/contracts/Exchange.sol#L212-L227
After sending ETh through call, the callStatus is not verified. If call does not succeed and there is gas remain, the operation won't revert, and the ETH will stay in the contract locked
Alice deploy a smart contract called RussianRullet that in certain conditions, when it receives ETH through receive function, can revert.
This contract also has a function called tryLuck which just calls Exchange.execute{value:msg.value([])} function
tryLuck with 1 ETHExchange.execute{value:msg.value([])} is executed_returnDust is executed, and ETH is send back to RussianRullet smart contractThe ETH send by Alice is now stuck in the contract.
Manual review
Check callStatus value, and in case it is false, revert the operation.
#0 - c4-judge
2022-11-16T11:56:26Z
berndartmueller marked the issue as duplicate of #90
#1 - c4-judge
2022-11-16T11:56:35Z
berndartmueller marked the issue as satisfactory
#2 - c4-judge
2022-12-06T14:17:13Z
berndartmueller changed the severity to 2 (Med Risk)
🌟 Selected for report: ReyAdmirado
Also found by: 0x4non, 0xRoxas, 0xab00, Awesome, Aymen0909, Bnke0x0, Deivitto, Diana, IllIllI, Rahoz, RaymondFam, Rolezn, Sathish9098, ajtra, aphak5010, aviggiano, c3phas, carlitox477, ch0bu, cryptostellar5, erictee, lukris02, martin, rotcivegaf, saian, shark, trustindistrust, zaskoh
22.2155 USDC - $22.22
_balances[msg.sender] can reduce one state variable access. Replace these lines for:
uitn256 _balance = _balances[msg.sender] require(_balance >= amount); _balance -= amount; _balances[msg.sender] = _balance
This line can be replaced by something like revert(ERROR_UNAUTORIZED_TRANSFER());
Note: Notice that this error was not caught by c4audit
_balances[from] is accessed three times. This can be reduced to just 2 by replacing these lines for:
uint256 fromBalance = _balances[from]; require(fromBalance >= amount); require(to != address(0)); fromBalance -= amount; _balances[from] = fromBalance _balances[to] += amount;
remainingETH is accessed 3 times. One access can be avoided by replacing these lines for
uint256 _remainingETH = remainingETH; require(_remainingETH >= price); _remainingETH -= price; remainingETH = _remainingETH;
blockRange is accessed 2 times. This can be reduced to just 1 by replacing this lines for emit NewBlockRange(_blockRange);
oracle is accessed 2 times. This can be reduced to just 1 by replacing this line for emit NewOracle(_oracle);
policyManager is accessed 2 times. This can be reduced to just 1 by replacing this line for emit NewPolicyManager(_policyManager);
executionDelegate is accessed 2 times. This can be reduced to just 1 by replacing this line for emit NewExecutionDelegate(_executionDelegate);
nonces[msg.sender] is accessed 3 times. This can be reduced to just 1 by replacing these lines for:
nonce = nonces[msg.sender] + 1 nonces[msg.sender] = nonce; emit NonceIncremented(msg.sender, nonce);
#0 - c4-judge
2022-11-17T14:14:00Z
berndartmueller marked the issue as grade-b