Platform: Code4rena
Start Date: 18/10/2022
Pot Size: $75,000 USDC
Total HM: 27
Participants: 144
Period: 7 days
Judge: gzeon
Total Solo HM: 13
Id: 170
League: ETH
Rank: 55/144
Findings: 3
Award: $57.64
π Selected for report: 0
π Solo Findings: 0
π Selected for report: minhtrng
Also found by: Deivitto, V_B, __141345__, adriro, cdahlheimer, d3e4, ladboy233, nadin, teawaterwire
1.9681 USDC - $1.97
https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L484-L539 https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L1185-L1193
Weak PRNG due to a modulo on block.timestamp, now or blockhash. These can be influenced by miners to some extent so they should be avoided.
Example exploit scenario. Eve is a miner. Eve calls guessing and re-orders the block containing the transaction. As a result, Eve wins the game.
HolographOperator.crossChainMessage(bytes) (HolographOperator.sol#484-539) uses a weak PRNG: "operatorIndex = random % podSize (HolographOperator.sol#511)" HolographOperator.crossChainMessage(bytes) (HolographOperator.sol#484-539) uses a weak PRNG: "pod = random % _operatorPods.length (HolographOperator.sol#503)" HolographOperator._randomBlockHash(uint256,uint256,uint256) (HolographOperator.sol#1185-1193) uses a weak PRNG: "(random + uint256(blockhash(uint256)(block.number - n))) % podSize (HolographOperator.sol#1191)" Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#weak-PRNG
Slither
Do not use block.timestamp, now or blockhash as a source of randomness
#0 - gzeoneth
2022-11-19T17:33:52Z
using #427 as primary
π Selected for report: Rolezn
Also found by: 0x1f8b, 0x52, 0x5rings, 0xNazgul, 0xSmartContract, 0xZaharina, 0xhunter, 0xzh, 8olidity, Amithuddar, Aymen0909, B2, Bnke0x0, Chom, Deivitto, Diana, Diraco, Dravee, Franfran, JC, Jeiwan, Josiah, JrNet, Jujic, KingNFT, KoKo, Lambda, Margaret, Migue, Ocean_Sky, PaludoX0, Picodes, Rahoz, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Shinchan, Tagir2003, Trust, Waze, Yiko, __141345__, a12jmx, adriro, ajtra, arcoun, aysha, ballx, bin2chen, bobirichman, brgltd, bulej93, catchup, catwhiskeys, caventa, cccz, cdahlheimer, ch0bu, chaduke, chrisdior4, cloudjunky, cryptostellar5, cryptphi, csanuragjain, cylzxje, d3e4, delfin454000, djxploit, durianSausage, erictee, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, hansfriese, i_got_hacked, ignacio, imare, karanctf, kv, leosathya, louhk, lukris02, lyncurion, m_Rassska, malinariy, martin, mcwildy, mics, minhtrng, nicobevi, oyc_109, pashov, peanuts, pedr02b2, peiw, rbserver, ret2basic, rotcivegaf, rvierdiiev, ryshaw, sakman, sakshamguruji, saneryee, securerodd, seyni, sikorico, svskaushik, teawaterwire, tnevler, w0Lfrum
55.6726 USDC - $55.67
https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/abstract/ERC20H.sol#L106-L229
Contract ERC20H has payable functions (receive(), fallback(), etc.), but does not have a function to withdraw, therefore, every Ether sent to HolographERC20 will be lost.
Contract functions and structure illustrate the concept.
Slither
Remove the payable attribute or add a withdraw function.
#0 - alexanderattar
2022-11-08T21:58:05Z
Low risk but valid. We will either remove the payable attribute or add a withdraw function as suggested
#1 - gzeoneth
2022-11-21T07:18:17Z
As QA report
π Selected for report: oyc_109
Also found by: 0x040, 0x1f8b, 0x5rings, 0xNazgul, 0xSmartContract, 0xZaharina, 0xsam, 0xzh, 2997ms, Amithuddar, Aymen0909, B2, Bnke0x0, Deivitto, Diana, Dinesh11G, Franfran, JC, JrNet, Jujic, KingNFT, KoKo, Mathieu, Metatron, Mukund, Olivierdem, PaludoX0, Pheonix, Picodes, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Saintcode_, Satyam_Sharma, Shinchan, Tagir2003, Tomio, Waze, Yiko, __141345__, adriro, ajtra, aysha, ballx, beardofginger, bobirichman, brgltd, bulej93, catchup, catwhiskeys, cdahlheimer, ch0bu, chaduke, chrisdior4, cryptostellar5, cylzxje, d3e4, delfin454000, dharma09, djxploit, durianSausage, emrekocak, erictee, exolorkistis, fatherOfBlocks, gianganhnguyen, gogo, halden, hxzy, i_got_hacked, iepathos, karanctf, leosathya, lucacez, lukris02, lyncurion, m_Rassska, martin, mcwildy, mics, nicobevi, peanuts, peiw, rbserver, ret2basic, rotcivegaf, ryshaw, sakman, sakshamguruji, saneryee, sikorico, skyle, svskaushik, tnevler, vv7, w0Lfrum, zishansami
0 USDC - $0.00
Admin.admin() - https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/abstract/Admin.sol#L117-L119
Admin.setAdmin(address) - https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/abstract/Admin.sol#L127-L131
public functions that are never called by the contract should be declared external, and its immutable parameters should be located in calldata to save gas.
Use the external attribute for functions never called from the contract, and change the location of immutable parameters to calldata to save gas.