Back to cccz's contests

Infinity NFT Marketplace contest - cccz's results

The world's most advanced NFT marketplace.

General Information

Platform: Code4rena

Start Date: 14/06/2022

Pot Size: $50,000 USDC

Total HM: 19

Participants: 99

Period: 5 days

Judge: HardlyDifficult

Total Solo HM: 4

Id: 136

League: ETH

Infinity NFT Marketplace

Findings Distribution

Researcher Performance

Rank: 24/99

Findings: 5

Award: $418.60

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryInfinity NFT Marketplace

Findings Information

🌟 Selected for report: hyh

Also found by: 0x29A, 0xNineDec, 0xf15ers, 0xkowloon, GreyArt, IllIllI, KIntern, Kenshin, Lambda, WatchPug, Wayne, berndartmueller, byterocket, cccz, codexploder, horsefacts, kenzo, obront, obtarian, oyc_109, peritoflores, rajatbeladiya, rfa, saian, unforgiven, zer0dot

Awards

11.084 USDC - $11.08

Labels

bug
duplicate
3 (High Risk)
sponsor confirmed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L1229-L1232

Vulnerability details

Impact

The rescueETH function of the InfinityExchange contract is used to withdraw the ether in the contract, but the value of .call is msg.value instead of this.balance, which will cause the transaction fee to be locked in the contract.

Proof of Concept

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L1229-L1232

Tools Used

None

  function rescueETH(address destination) external payable onlyOwner {
-    (bool sent, ) = destination.call{value: msg.value}('');
+   (bool sent, ) = destination.call{value: address(this).balance}('');
    require(sent, 'failed');
  }

#0 - nneverlander

2022-06-22T11:17:57Z

Duplicate

#1 - nneverlander

2022-07-05T11:41:09Z

https://github.com/code-423n4/2022-06-infinity-findings/issues/11

#2 - HardlyDifficult

2022-07-09T16:43:35Z

Dupe https://github.com/code-423n4/2022-06-infinity-findings/issues/296

Findings Information

🌟 Selected for report: horsefacts

Also found by: 0x29A, GimelSec, GreyArt, Lambda, Ruhum, antonttc, berndartmueller, byterocket, cccz, codexploder, dipp, oyc_109, unforgiven

Labels

bug
duplicate
3 (High Risk)

Awards

84.0967 USDC - $84.10

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L326

Vulnerability details

Impact

In takeMultipleOneOrders and takeOrders functions of the InfinityExchange contract, when msg.value > totalPrice, the excess ether will not be returned to the user.

Proof of Concept

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L326 https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L362

Tools Used

None

Return excess ether to msg.sender, or require msg.value == totalPrice

#0 - KenzoAgada

2022-06-21T12:22:19Z

Duplicate of #244

#1 - HardlyDifficult

2022-07-10T12:40:46Z

Dupe of https://github.com/code-423n4/2022-06-infinity-findings/issues/244

Findings Information

🌟 Selected for report: WatchPug

Also found by: BowTiedWardens, GreyArt, Ruhum, berndartmueller, cccz, csanuragjain, defsec, joestakey, m9800, peritoflores, reassor, shenwilly, throttle, zer0dot

Labels

bug
duplicate
2 (Med Risk)
disagree with severity
sponsor acknowledged

Awards

21.1924 USDC - $21.19

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L1266-L1269

Vulnerability details

Impact

The owner can set PROTOCOL_FEE_BPS to 10000 in the setProtocolFee function of the InfinityExchange contract, which may frontrun the user's token transfering

Proof of Concept

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L1266-L1269

Tools Used

None

Consider adding a limit to PROTOCOL_FEE_BPS in the setProtocolFee function

#0 - nneverlander

2022-06-23T12:28:55Z

Duplicate

#1 - HardlyDifficult

2022-07-11T00:03:59Z

Dupe https://github.com/code-423n4/2022-06-infinity-findings/issues/259

Findings Information

🌟 Selected for report: obtarian

Also found by: 0xsanson, cccz

Labels

bug
duplicate
2 (Med Risk)

Awards

253.2462 USDC - $253.25

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L303

Vulnerability details

Impact

In takeMultipleOneOrders and takeOrders functions of the InfinityExchange contract, if currency != address(0), we need to check msg.value == 0, otherwise the user may lose ether that was accidentally sent.

Proof of Concept

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L303 https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L344

Tools Used

None

Add the following code to the takeMultipleOneOrders and takeOrders functions

if(currency != address(0))
    reqiure(msg.value == 0);

#0 - KenzoAgada

2022-06-21T12:31:55Z

Duplicate of #346

Findings Information

🌟 Selected for report: joestakey

Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkowloon, 0xmint, 8olidity, BowTiedWardens, Chom, Cityscape, Czar102, ElKu, FSchmoede, Funen, GimelSec, GreyArt, IllIllI, KIntern, Kaiziron, Kenshin, Lambda, MadWookie, MiloTruck, PPrieditis, Picodes, Ruhum, Sm4rty, StErMi, TerrierLover, TomJ, Treasure-Seeker, VAD37, WatchPug, Wayne, _Adam, a12jmx, abhinavmir, antonttc, apostle0x01, asutorufos, berndartmueller, cccz, cloudjunky, codexploder, cryptphi, csanuragjain, defsec, delfin454000, fatherOfBlocks, georgypetrov, hake, hansfriese, horsefacts, hyh, k, kenta, nxrblsrpr, oyc_109, peritoflores, rajatbeladiya, reassor, rfa, robee, sach1r0, saian, samruna, shenwilly, simon135, sorrynotsorry, sseefried, throttle, unforgiven, wagmi, zzzitron

Awards

48.9776 USDC - $48.98

Labels

bug
disagree with severity
QA (Quality Assurance)
sponsor acknowledged

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/staking/InfinityStaker.sol#L364-L372

Vulnerability details

Impact

The updatePenalties function does not emit events and owner can set the *_MONTH_PENALTY to a very large value, which may frontrun user's rageQuit process.

Proof of Concept

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/staking/InfinityStaker.sol#L364-L372

Tools Used

None

Consider adding limit for *_MONTH_PENALTY in updatePenalties function and emit event

#0 - nneverlander

2022-06-23T12:29:02Z

Duplicate

#1 - HardlyDifficult

2022-07-10T21:32:21Z

Fair consideration. Lowering risk and converting this into a QA report for the warden.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter