Platform: Code4rena
Start Date: 08/11/2022
Pot Size: $60,500 USDC
Total HM: 6
Participants: 72
Period: 5 days
Judge: Picodes
Total Solo HM: 2
Id: 178
League: ETH
Rank: 6/72
Findings: 3
Award: $3,864.16
π Selected for report: 0
π Solo Findings: 0
π Selected for report: 0xSmartContract
Also found by: carrotsmuggler
3750.5995 USDC - $3,750.60
https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/TokenRescuer.sol#L14-L39 https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/OwnableTwoSteps.sol#L125-L127
Contract TokenRescuer inherits the contract OwnableTwoSteps but does not set any delay. There should be a constructor in TokenRescuer responsible for setting the delay as described in the comments of the OwnableTwoSteps contract. Without any delay, ownership can be changed/revoked within a single block.
contract TokenRescuer is OwnableTwoSteps, LowLevelETH, LowLevelERC20Transfer { error InsufficientAmount(); // @audit: Missing constructor/ call to _setupDelayForRenouncingOwnership function rescueETH(address to) external onlyOwner function rescueERC20(address currency, address to) external onlyOwner }
forge
Add a constructor to TokenRescuer setting a delay of 1 day for ownership changes/revoking.
#0 - c4-judge
2022-11-21T11:52:20Z
Picodes marked the issue as primary issue
#1 - c4-judge
2022-11-21T16:41:32Z
Picodes marked the issue as satisfactory
#2 - c4-sponsor
2022-11-24T12:42:45Z
0xhiroshi marked the issue as disagree with severity
#3 - 0xhiroshi
2022-11-24T12:44:46Z
valid but it sounds like a low risk to me (also we are going to time delay completely)
#4 - Picodes
2022-12-11T12:31:15Z
To me this is a case of "break of functionality" where the intent of the code is clearly to have a two step ownership transfer but it is not. As this safeguard may be important for decision-making (e.g. giving an unlimited approval to ERC20EnabledLooksRareAggregator), I think Medium severity is appropriate.
#5 - 0xhiroshi
2022-12-12T09:14:28Z
To me this is a case of "break of functionality" where the intent of the code is clearly to have a two step ownership transfer but it is not. As this safeguard may be important for decision-making (e.g. giving an unlimited approval to
ERC20EnabledLooksRareAggregator), I think Medium severity is appropriate.
Ok
#6 - C4-Staff
2022-12-20T23:47:34Z
JeeberC4 marked the issue as duplicate of #127
77.2215 USDC - $77.22
The TokenRescuer contract helps to rescue eth and erc20 tokens and can only be called by the owner. However, any trapped eth or erc20 tokens can actually be taken out by anyone. Essentially the function and access control of the TokenReceiver contract can be bypassed. This can be a low risk issue, but classified as med since it directly bypasses some access control.
foundry
Store the purchase price of the NFT and the credited amount and only return the balance difference, not the entire contract balance.
#0 - c4-judge
2022-11-20T10:43:38Z
Picodes marked the issue as duplicate of #277
#1 - c4-judge
2022-12-16T14:02:06Z
Picodes marked the issue as satisfactory
π Selected for report: RaymondFam
Also found by: 0x1f8b, 0x52, 0xSmartContract, 0xc0ffEE, 0xhacksmithh, 8olidity, Awesome, BClabs, Bnke0x0, Chom, Deivitto, Hashlock, IllIllI, Josiah, KingNFT, Nyx, R2, ReyAdmirado, Rolezn, SamGMK, Sathish9098, SinceJuly, V_B, Vadis, Waze, a12jmx, adriro, ajtra, aphak5010, bearonbike, bin, brgltd, carlitox477, carrotsmuggler, cccz, ch0bu, chaduke, datapunk, delfin454000, erictee, fatherOfBlocks, fs0c, horsefacts, jayphbee, ktg, ladboy233, pashov, perseverancesuccess, rbserver, ret2basic, tnevler, zaskoh
36.3434 USDC - $36.34
LooksRareAggregator only checks if the set fee bp <= 10000. This allows instances of 10000bp fees, or 100% fees.
LooksRareAggregator has token recovery options for erc20, erc721 and erc1155. However ERC20EnabledAggregator does not have recovery options for any of them. It is unlikely ERC20EnabledAggregator will ever come across erc721 or erc1155, but it is quite likely some user might send erc20 to the contract by mistake which will become unrecoverable.
If protocol returns WETH on ETH purchases, they wont be returned to the user
#0 - c4-judge
2022-11-21T19:14:10Z
Picodes marked the issue as grade-b
#1 - c4-sponsor
2022-11-24T23:06:44Z
0xhiroshi marked the issue as sponsor disputed